and availability with vrealize accelerate app security for ... · sddc. user access layer. compute....

#vmworld

Accelerate App Security and Availability with vRealize

Network InsightMartijn Smit, VMware, Inc.Sajan Liyon, VMware, Inc.

SAI2555BE

#SAI2555BE

VMworld 2018 Content: Not for publication or distribution

Disclaimer

2©2018 VMware, Inc.

This presentation may contain product features orfunctionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.


Agenda


Network & Security Model for Digital Era: Application Centricity

The Micro Segmentation Journey with vRealize Network Insight

Demos

“The Network is the Computer” (John Gage 1984, Sun Micro Systems)Exciting time when this is becoming a reality.



BRANCH

BRANCH

BRANCH

BRANCH

BRANCH

BRANCH

BRANCH

BRANCH

TELCO/NFV

TELCO/NFV

EDGE/IOT

TELCO/NFV

BRANCH

BRANCH

EDGE/IOT

EDGE/IOTThe picture can't be displayed.

The picture can't be displayed.










Network Model for Digital EraVMworld 2018 Content: Not for publication or distribution


The Application is a Network

“The Application Is a Network” “Any Device, Any Cloud, Any Application”

The Big Quandary for IT & Network Professional: I am still responsible for application and application network performance, but I don’t control or have access to any of the Infrastructure that deliver it.

Change in computing Paradigms



A new approach is needed to secure the hyper distribution of apps and data

6

Data center Cloud IOT / Branch

SaaS

PaaS IaaS

Software + (Hyper)Connectivity are Fueling a Shift From Data Centers to Centers of Data

6

Security and control everywhereVMworld 2018 Content: Not for publication or distribution


1001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010010101011010010101010011001010010101010101101001010101001100101001010101010110100101010100110010100101010101011010010101010011001010010101010101010010101010011001010010101010101101

Ap

p

Ap

p

Ap

p

OS75,000,000 75

Chasing Bad Ensuring Good

Changing the Application Security ModelFrom chasing bad to ensuring good

DevicesUsers AccessCompute Network DataVMworld 2018 Content: Not for publication or distribution


Mobility

The picture can't be displayed. The picture can't be displayed. The picture can't be displayed.

Context

Control

Secure Infrastructure

SDDC User Access Layer

Compute DataNetwork AccessUsers Devices

Apps Data

VMware is in a Unique Position to Deliver & Operationalize Next-gen Security

NSXAppDefenseTM Workspace ONETM

Network Insight



Users

VMs, Containers, Microservices

Branch Offices

Public Clouds

Telco Networks

Private Data

Centers Things

Security Planning & Network Visibility Across the Virtual Cloud Network

vRealizeNetwork Insight

Applications

Discovery Connectivity Security

Visibility, Analytics, Insights

Network Troubleshooting

Closed Loop Security

Planning & Enforcement

Self-Driving Operations



5 Steps to Application-Centric Micro-segmentation

Download the complete guide at vmware.com/nsx/security

Assess current environment

1

FREE Virtual Network Assessment Available!

Deploy NSX Data Center

2

NO changes to your current physical network!

Identify Application Boundaries

3

Discover services, applications and their boundaries!

Get Recommended Firewall Rules

4

Application Rules Manager in NSX helps provide application level rules!

Repeat, Monitor, Troubleshoot

5

Deploy micro-segmentation starting with most critical apps first!

NSX Data Center and vRealize Network Insight for Micro-segmentation Nirvana!



Your Application Model

• Network Flows

• In-Guest Processes

• User Groups (Ex: Active Directory)

• CMDB (Ex: ServiceNow)

• Blueprints and Manifests

Understanding Your EnvironmentApplications across Virtual, Physical and Cloud

Process

Flows

Blueprints

UserGroups

CMDB



• Identifying Workloads with Common Network Behavior (Your Applications and App Tiers)

• Grouping - Workload Characteristics, Ports, Common Services

• Recommended Security Policies and Firewall Rules for a Zero-Trust Model

• Enforcement Points (with NSX Data Center, Physical, Cloud)

The “Deny Everything Else” StateGetting to the right security groups and policies



Ensuring App Availability with more VCN MetricsThrough Network latency and Streaming Telemetry

• Why are my apps slow?(MY Network & Business SLA’s)

• Identify Latency of flows associated with APP Tiers(RTT of Flow)

• Latency in accessing the APP?• Is there latency in my virtual

infrastructure?• Is it in the Host?

(vnic to vnic, vnic to pnic)• Is it in the path? (vtep to vtep)

• Is there any latency in my underlay ?• Microburst detection (Q depths)• Hop by Hop Latency

Network Telemetry: Streaming Telemetry,

Real-time data collection.

VCN Latency metrics

Metadata Analysis

Business IntentVCN Intent

Policy/Workload Optimization

Analytics: Looking for patterns in the

latency w.r.t events in the network..Intent: Policy & business outcome from Analytics

.



Virtual Cloud Network LatencyWhat does network latency means in virtualization?

vmxnet3

VM1

vmxnet3

VM1

Port1 Port2

Dispatch and Mirroring

Port3 Teaming Port4

Uplink Layer

vmnic0 vmnic1

pNIC pNIC

vNIC to PNIC

pNIC to vNIC

vNIC to vNIC

In the context of virtualization, it includes following :-

• Latency in the sender guest (VM)• Latency in the host

(hypervisor) where the sender VM runs

• Physical network latency • Latency in the host where the

receiver VM runs, and receiver guest latency.

vtep to vtep



Operationalizing Micro-segmentationGetting to the right security groups and policies

3rd Party Virtual Firewall

VXLAN

VLAN

Physical Firewall

NSX Firewall



Demo:Accelerate your Micro-segmentation Journey



5 Steps to Application-Centric Micro-segmentation

Download the complete guide at vmware.com/nsx/security

Assess current environment

1

FREE Virtual Network Assessment Available!

Deploy NSX Data Center

2

NO changes to your current physical network!

Identify Application Boundaries

3

Discover services, applications and their boundaries!

Get Recommended Firewall Rules

4

Application Rules Manager in NSX helps provide application level rules!

Repeat, Monitor, Troubleshoot

5

Deploy micro-segmentation starting with most critical apps first!

NSX Data Center and vRealize Network Insight for Micro-segmentation Nirvana!



Operationalizing Micro-segmentationDay 2 readiness for monitoring and troubleshooting is as critical as securing your apps

Intent vs. Realized

Overlay-Underlay

Troubleshooting

Change, Audit & Compliance

Continuous Analytics


19©2018 VMware, Inc. 19

Operations with ACI Underlay

EPG, Bridge Domain, ANP, EPG to VM, EPG to DVPG association

Layer 2 Path from VM to Leaf Nodes

VM to VM Path Visibility (ACI VRF in VM-VM Path)

ACI Leaf Nodes and their ports in path. Spine Fabric.

ACI Leaf

ACI Spine



Operations with BGP-EVPN Underlay

Show vm to vm path through an BGP-EVPN underlay

Leaf, Spine, Uplinks , VRFs

EVPN (overlay visualization)

Expand the underlay topology in context to VM

Show all the leaf's where the default gateway of the VM is present.



• VMware Cloud or native public cloud (AWS, Azure, ..)

• Hybrid Network Path Troubleshooting (cloud-to-On premises, Gateways, VPN)

• Traffic Analysis & Micro-segmentation Planning for cloud workloads

• Migration planning from on-premises to cloud

Hybrid Applications - Extending to Public Cloud



Apps can land anywhere, can be deployed anywhere, can span beyond DC to Edge to cloud. vRealize Network Insight brings it all together with end to end Visibility, Security and Control

Any App, Any Cloud


Learn More

Try the Hands-on LabLabs.hol.vmware.com

HOL-1829-01-NET

Hol.vmware.com

23

vmware.com/go/vrni

Available for evaluationas part of VMUG

Advantage.

https://www.vmug.com/Join/EVALExperience

Request a free 30 day Evaluation for the Network

Insight service.

Cloud.vmware.com/network-insight/request-access


http://hol.vmware.com/

https://www.vmug.com/Join/EVALExperience

http://cloud.vmware.com/network-insight/request-access

DON’T FORGET TO FILL OUT YOUR SURVEY.

#vmworld #SAI2555BE


THANK YOU!

#vmworld #SAI2555BE


and availability with vrealize accelerate app security for ... · sddc. user access layer. compute....

Documents