You’ve likely heard it before: “All businesses are now digital businesses.” But since the business has expanded into digital space, shouldn’t something as critical as business security digitally expand too? That’s where the VMware ubiquitous software layer comes into play — sitting across the application infrastructure and endpoints, no matter where they are.

Now more than ever, it’s clear that security expertise is a must-have for IT. To further enhance your own security knowledge, make sure to join us at vForum Online on June 28th — right from your own desk. As our largest virtual conference, vForum Online is a must-attend event for IT professionals, and especially for those looking to improve their approach to security.

For returning attendees, you may notice we’ve made some alterations to the structure of vForum Online: Now, the conference is divided into several goal-oriented tracks, to ensure we’re aligned to your IT aims.

With this free, half-day event just a few weeks away, we’re counting down the days — and counting up all the reasons you should attend. Get a preview of these five security spotlights you can expect at the conference:

1. A Modern Approach to IT Security

In our “Transform Security — Reduce Risk, Increase Agility, and Control CapEx” breakout session, we’ll walk you through the benefits of the VMware ubiquitous software layer for security: how it secures application infrastructure, identity, and endpoints, and also streamlines compliance in an increasingly hybrid and complex IT environment.

Still have questions? In a Chat with Experts, you’ll talk live with a seasoned security pro to get the answers you need.

2. All About Micro-segmentation 

Thanks to software Micro-segmentation, IT is able to simplify security policies and align them to the applications themselves. Micro-segmentation enables IT to define security policies at the individual VM level, so that as workloads move between public and private clouds throughout their lifecycles, their security policies move with them.

You’ll be able to take a closer look at Micro-segmentation in our “Secure Application Infrastructure — Micro-segmentation Technology Deep-Dive” breakout session. Then, you can ask for individualized support in the Micro-segmentation-themed “Chat with Experts.”

3. Dig Into Defense-in-Depth Security

Want to peek at some of the advantages of security in Software-Defined Data Center? Start with our breakout session, “Design Defense-in-Depth Security in the Software-Defined Data Center Using vSphere v6.5 and NSX 6.3,” where you’ll become acquainted with the features of specific solutions like VMware NSX^® 6.3 and VMware vSphere v6.5^®.

A Software-Defined Data Center Specialist will be on hand to help you dig deeper into the topic (and design your own defense-in-depth security approach) — in one of our Chats with Experts.

4. Customer Success Story on Security 

Learn something new from one of your peers. In our “Customer Story” breakout session, we’ll review a real security success story from a VMware customer, the Deluxe Corporation. You’ll see specifically how this business was able to achieve superior security with a ubiquitous software layer across their application infrastructure and endpoints. The result? Maximized visibility, content, and control — to secure interactions between all users, applications, and data. With the insights you’ll gain in this session, you’ll begin to innovate on your own security.

5. NSX Hands-on Labs

Want to know what we’re most looking forward to at the June 28th vForum? The Hands-on Labs. In two security-focused demos, you’ll get interactive as you explore NSX and its many features. You can also join a Lab specifically on distributed firewall and Micro-segmentation with NSX. Sign up for a single one, or do double duty. Your choice. 

And by the way, there will be a few other special bonuses on the big day. It all kicks off with an opening keynote from our CEO, Pat Gelsinger. In his talk, “5 Myths of IT,” Pat will bust some common IT myths and share his perspective on IT today.

Throughout the day, we’ll also be giving away awesome prizes, like an Oculus Rift VR headset and a voice-controlled Amazon Echo speaker. So, come join us for the learning — and stay for a prize.

Register for vForum Online on June 28. We look forward to your attendance.

The post Don’t Miss out on These 5 Spotlights on Security at vForum Online Summer 2017 appeared first on Network Virtualization.

One of the current challenges of data center security is the East-West traffic that has become so pervasive as modern applications communicate a great deal between their different components.  Conventional perimeter security is poorly placed to secure these lateral flows, to promote a zero-trust model in order to prevent threats moving within each application layer.  VMware NSX addresses this, providing virtual firewall at the virtual NIC of each VM with a management framework where micro-segmentation is achievable with a sensible level of overhead.  Check Point vSEC can be deployed in conjunction to provide threat and malware protection.

The VMware NSX Distributed Firewall (DFW) protects East-West L2-L4 traffic within the virtual data center. The DFW operates in the vSphere kernel and provides a firewall at the NIC of every VM.  This enables micro-segmented, zero-trust networking with dynamic security policy leveraging the vCenter knowledge of VMs and applications to build policy rather than using IP or MAC addresses that may change.  Tools for automation and orchestration as well as a rich set of APIs for partner and customer extensibility complete the toolset for security without impossible management overhead.  While this is a dramatic improvement in the security posture of most data centers, layer 4 policies may not prevent malware or other threats that propagate via standard, likely permitted, protocols.

The NSX NetX API allows the insertion of 3^rd party security services into the VMs network traffic flow, including streamlining the deployment of the partner solution and permitting sharing of security tags in order that dynamic security policy can still be used.  Check Point vSEC integration with NSX automatically deploys a Check Point vSEC appliance to every host in a cluster then steers traffic to it within the host for inspection according to policy.  The Check Point management server also connects to the vCenter API to retrieve vCenter constructs, for example, virtual machine folders.

The combination of both products with dynamic security groups permits effective security control while policy size and readability are maintained promoting effective auditing and troubleshooting. For more details check out this blog post, Advanced VMware NSX Security Services with Check Point vSEC.

If you are in the Massachusetts area and want to learn more next week, register for our lunch and learn on Wednesday 14th June here.

To learn more about VMware NSX and Check Point vSEC

• VMware NSX and Check Point vSEC Solution Brief
• Test drive a free Hands-On-Lab (HOL):  Advanced SDDC Security with Check Point vSEC and NSX

The post VMware NSX and Check Point vSEC appeared first on Network Virtualization.

VMware NSX 6.3 for vSphere has achieved Common Criteria certification at the Evaluation Assurance  Level (EAL) 2+ (view the certification report)(view the press release). This marks yet another milestone of our commitment to providing industry leading certified solutions for customers from federal departments and agencies, international governments and agencies, and other highly regulated industries and sectors. Along with FIPS, DISA-STIG, ICSA Labs firewall certification, and several other independent evaluations, the Common Criteria compliance accreditation validates NSX as a reliable network virtualization platform that satisfies stringent government security standards.

Common Criteria is an international set of guidelines (ISO-15408) that provides a methodology framework for evaluating security features and capabilities of Information Technology (IT) security products. It is mutually recognized by 26 member nations.

Regulatory compliance is one of the challenges faced by government IT departments in their efforts to modernize legacy systems, and Common Criteria is often required for procurement sales. The Common Criteria accreditation affirms that NSX for vSphere complies with the security requirements specified within the designated level and simplifies the introduction of NSX into government and highly regulated environments. NSX enables customers in the public sector to implement network virtualization to reduce cyber-threats, improve operational efficiency and reduce disaster recovery time.

The following deployment scenario was evaluated for Common Criteria certification:

By awarding a Common Criteria certificate, the Certification Body asserts that the product satisfies the security requirements specified in the associated Security Target.

To run a Common Criteria-compliant NSX installation requires a specific NSX configuration. The steps are explained in Configuring NSX for Common Criteria.

Achieving Common Criteria certification demonstrates our commitments to serving customers from federal departments and agencies, international governments and agencies, and to other highly regulated industries and sectors. We continue to invest in certification efforts to ensure that NSX is the trustworthy network virtualization platform transforming security and addressing automation and application continuity.

All official VMware certifications are available at: http://www.vmware.com/security/certifications.

To learn more about VMware NSX and Compliance

• Watch an Overview on NSX for Compliance Light Board video
• Read our other Compliance blogs
• Visit the NSX Compliance homepage

The post VMware NSX Achieves Common Criteria EAL 2+ Certification appeared first on Network Virtualization.

Modern IT professionals face significant security challenges. As digital transformation continues to connect applications, users, and data in the cloud, perimeter security models that once offered businesses protection are no longer sufficient. Critical visibility into users and endpoints is missing, enforcing policies is difficult, and, in the meantime, cyberattacks are more sophisticated and costly than ever.

What do IT teams need to defend today’s applications, users, and data from potentially brand-damaging attacks?

That’s the question VMware experts will be tackling during our VMware EVOLVE Transform Security events, coming to a city near you. During these half-day, in-person events, you will learn how a ubiquitous software layer can help support the security challenges of the modern business. 

VMware experts will guide you through how to:

• Secure application infrastructure and better align security controls to apps
• Secure identity and endpoints to control access and enforce data loss prevention
• Streamline governance, risk management and compliance to limit cyber-attack vectors

Reserve your spot at an upcoming Transform Security-focused VMware EVOLVE event in your city:

• Chicago, July 18
• San Francisco, July 19

The post VMware Evolve Transform Security is Coming to A City Near You! appeared first on Network Virtualization.

Our Experience Day is a deep dive into operationalizing NSX.  This half-day working session includes breakouts, workbook assignments (summaries, checklists, and Q&A), and deep discussions with peers.  To realize the benefits of network virtualization, organizations will want to assess and execute an operational plan that spans across people, process, and technology.  You and your organization can review the key assets below and make use of the best practices that make the most sense for your particular situation.

If you are interested in joining one of our sessions, please contact your NSX Sales Specialist or account System Engineer.

COMMUNITY

NSX Community at VMUG. Dedicated to network and security virtualization, a robust resource for individuals who are motivated to learn more.

For a limited time, join VMUG Advantage to get over $4000 worth of NSX training for only $2,800 (Until Aug 28). Includes NSX Install, Configure Manage On-Demand, VCP-Network Virtualization test prep and voucher, and much more.

TRAINING & CERTIFICATION COURSES

VMware NSX Training and Certification. Explore the expert NSX training & certifications from VMware.

SERVICES

Professional Services for Transforming Security. Get your team operational by Day 2 and ensure that you achieve measurable results.

Accelerate Advisory Services. Uncover hidden barriers, find opportunities and formulate pragmatic IT transformation strategies.

DOCUMENTATION

NSX Troubleshooting Guide. Monitor and troubleshoot the VMware® NSX™ system by using the NSX Manager user interface, the vSphere Web Client, and other NSX components.  

NSX Monitoring Guide.  Step-by-step instructions for configuring vRealize Operations Manager and vRealize Log Insight for monitoring of the operations in the SDDC.

Day 1 Guide: Microsegmentation.  Highlights the importance of microsegmentation in enabling better data center cyber hygiene.  

Operationalizing NSX White Paper. To realize the benefits of network virtualization, organizations will want to assess and execute an operational plan that spans across people, process, and technology.  

Recommended Reading

Design Guides.  (select Documents)

NSX Mindset. One’s mental capability to be a determined leader and catalyst for change in the way a company designs, implements, manages, and operates networking and security.

Our Experience Day is a deep dive into operationalizing NSX.  This half-day working session includes breakouts, workbook assignments (summaries, checklists, and Q&A), and deep discussions with peers.  To realize the benefits of network virtualization, organizations will want to assess and execute an operational plan that spans across people, process, and technology.  You and your organization can review the key assets below and make use of the best practices that make the most sense for your particular situation.

If you are interested in joining one of our sessions, please contact your NSX Sales Specialist or account System Engineer.

The post NSX Experience Day Planning for Operational Transformation: Key Resources appeared first on Network Virtualization.

Did you decided that it is time to implement OpenStack to build your Cloud? Have you tested in the lab? Evaluated many distributions available and hired specialized OpenStack resources? However, when the environment goes into production, Neutron is not integrating with the physical network?

If the above story closely resembles what you have faced, this post will unconceal the many challenges of Networking with any OpenStack distribution and how VMware NSX is the missing piece for your Cloud.

Networking and Security Challenges with OpenStack

Since its creation, the biggest challenges of OpenStack Clouds implementations are automation, integration and orchestration of the required networking and security components at the physical infrastructure layer. The main difficulty is that these environments are extremely heterogeneous and most of the devices do not have an open and programmable interface for configuration and, thus, the initial way of running OpenStack was to pre-provisioning the network manually and only use basics functionalities when implementing security services.

With the rise of Network Virtualization solutions and evolution of Open vSwitch, some of these challenges were solved, making it possible to create an abstraction layer from the physical elements of infrastructure and automate the virtual network through the programmable interface of Network Virtualization solutions.

However, the Neutron project (responsible for managing all OpenStack Cloud Security and Network services) has been undergoing constant modifications, especially regarding the need for more advanced functionalities, such as dynamic routing, VPN , firewall functionality and others. With those constant changes, maturity, consistency and resilience were eventually undermined.

If you are interested in how VMware is currently contributing to OpenStack community, please read Scott Lowe‘s post – Making OpenStack Neutron Better for Everyone – on our VMware OpenStack Blog.

The table below, extracted from the 2017 OpenStack Foundation User Survey, exemplifies which features of Neutron that are being used the most or currently required in the majority of OpenStack Clouds.

Growth without planning has brought major challenges to the Neutron project. What is most debated today is whether the architecture of this project needs to be reworked, in order to simplify its use and improve its integration with Network Virtualization Solutions.

VMware NSX Integration with OpenStack

Few companies today are using OpenStack in production without a network virtualization platform, and those that are not, usually face major challenges like the ones mentioned above.

The benefits that VMware NSX brings to Neutron can be listed below:

• Agility: Create Networks at the same speed as the applications;
• Mobility: Provision and mobility of instances;
• Security: Micro-segmentation and chaining of partner services for advanced features;
• Multi-tenant: Possibility of using shared infrastructure among multiple tenants;
• Simplified Operations: Centralized control and single monitoring;

As mentioned, the challenges with Neutron can be addressed with NSX as follows:

• Simplified implementation of Neutron services;
• Stability, scalability and high availability;
• Continuous development of new functionalities;
• Higher performance due to distributed NSX architecture;
• Management, Day 2 Operations, and native Troubleshooting Tools in NSX;

To perform integration with Neutron, VMware NSX has an open plugin available on the GitHub page that can be used by any OpenStack distribution or implementation.

This plugin translates the Neutron APIs calls into NSX APIs calls at the NSX Manager and thus builds the network and security services. The figure below exemplifies and shows an example of what can be deployed using this approach:

VMware NSX supports OpenStack environments regardless of the underlying hypervisors and has plug-ins available for any OpenStack distribution to use its benefits.

Meet some of our customers who are benefiting not only from NSX, but also from VMware Integrated OpenStack at the links below:

• HedgeServ – https://youtu.be/NFcIa314X5k
• Rakuten – https://youtu.be/11ew7zEPOso
• Charter – https://youtu.be/mw6fdkpvzoY
• Amadeus – https://youtu.be/HmdqPDK-cLY
• IBM – https://youtu.be/4a3EeROQTxI

On the Road

If you would like to understand more about this topic, I will be delivering sessions regarding Networking and Security Challenges in the following events:

VMworld’17 – Las Vegas – USA

My session will be Tuesday, 29th August at 4pm.

To know more about VMworld’17 click here.

OpenStack Day 2017 – São Paulo – Brazil

Saturday, July 15, 2017, 08:30 a.m. to 8:00 p.m.

Gamaro Theater
Doctor Almeida Lima, 1176 – Mooca
São Paulo, SP – 03164-000 – Brazil

My session will be at 2:40pm at the main stage.

To know more about OpenStack Day São Paulo click here.

If you have the opportunity to be in any of these events, don’t hesitate to reach me!

I hope you have enjoyed this post and contact me if you have any questions.

The post Networking Challenges in OpenStack Clouds appeared first on Network Virtualization.

Several years ago, the CEO of a Fortune 100 company remarked: “If you went to bed last night as an industrial company, you’re going to wake up this morning as a software and analytics company.”

Today, these words are more true than ever—but so is the reality that the digital transformation in business has also given rise to significant changes across the IT landscape and, in turn, significant new challenges for IT security.

As people, devices, and objects become more connected, protecting all these connections and environments has become a top priority for many IT organizations. At the same time, it’s also become one of their biggest challenges. Securing each and every interaction between users, applications, and data is no easy feat—especially when you consider that securing these interactions needs to be done across environments that are constantly changing and increasingly dynamic.

So how do you mitigate risk in a world where IT complexity and “anytime, anywhere” digital interactions are growing exponentially? For organizations that are embracing cloud and virtualized environments, three common-sense steps—enabled by a ubiquitous software layer across the application infrastructure and endpoints that exists independently of the underlying physical infrastructure—are proving to be key for providing the visibility and control needed to maximize security across modern IT environments.

• Secure the application infrastructure

While traditional data center security can provide adequate protection at the perimeter, it is not designed to provide sufficient visibility and control inside the data center. Virtualizing the application infrastructure, and compartmentalizing applications via network micro-segmentation, can help provide the protection needed against today’s increasingly sophisticated attacks.

• Secure identity and endpoints

As mobility, BYOD, and IoT initiatives proliferate, so too does the complexity of managing an ever-widening variety of devices. Virtualization can help verify user identity and device posture, providing true visibility and control that extend into the data center or cloud, where the application infrastructure resides.

• Streamline compliance

Managing risk and maintaining compliance are major challenges, made even more difficult as organizations make the transition from on-premises data centers to cloud. Virtualization helps enable a more holistic approach to meeting compliance demands by providing an ideal location to implement controls and gain visibility.

Of course, this is just a brief overview of how a purposeful software layer that spans from infrastructure to endpoint can help transform IT security for today’s organizations. For a more detailed discussion, please read the VMware solution overview entitled, “Three Key Steps to Transforming IT Security.”

Learn more about Transform Security here.

Join Us Online

• Twitter
• Facebook

The post Transforming IT Security in Three Key Steps appeared first on Network Virtualization.

“I thought future:net was the smartest of the networking conferences I’ve attended this year. The speakers were excellent — especially the customer and end-user stories, which provided valuable insight…it reminded me a lot of the first years of the Open Network Summit — the brain trust of the industry would attend, and that made it a must-attend show.

Craig Matsumoto, Managing Editor, SDX Central

 “A note to say what a privilege it was to participate in the future:net event. Seriously, absolutely top notch event that was free of the embuggerances that make large conferences such hard work. Congratulations on pulling it together and we hope for another invitation when it comes around again.”

Greg Ferro and Ethan Banks, Co-founders of Packet Pushers

We live in a hyper connected world – everything of value, from the apps, to the cloud, to the devices, to the users, is all closely tethered to one another. The network has become the critical platform that connects everything reliably and securely. IT must also evolve to support this new ecosystem of engagement. Ultimately, a lot has to happen for the network to deliver what customers need: a seamless and secure experience.

That’s why we’re looking forward to future:net 2017 – taking place in just a few weeks! Technical leaders across different industries will highlight their digital journeys and current state of their networking solutions, while networking leaders at the cutting-edge of new technologies will showcase what’s in store for the future.

This year, notable speakers such as Peter DeSantis, Vice President of Infrastructure Leadership at Amazon, will share about the necessary and crucial evolution of networking (for 2016 session topics, see recordings).

Let’s get ready for the digital era together. Join us this year on August 30th – 31st at the Four Seasons Hotel in Las Vegas. future:net is a complimentary, invite-only event and space is limited. Request an invite today and to learn more, please visit the future:net website.

Questions? Contact us at future.net@vmware.com

The post Calling all networking leaders – future:net 2017 is coming appeared first on Network Virtualization.

Personal banking sure isn’t what it used to be. Thankfully.

When is the last time you went to a bank? My trips are so infrequent that I actually enjoy the experience as a change of pace. That’s because normally, I get to transfer money or deposit a check not only online, but from my phone. And things in the banking sector aren’t slowing down, they’re speeding up, as new digital upstarts create competition and a pressure to innovate and make customers’ lives easier.

Still, not too long ago, the banking industry was still feeling the shockwaves of the financial crisis. Investments across the industry were tight, meaning more had to be done with less – a story many of us who have had roles in IT can relate to. So when Amy Hysell took on the role of CIO at the Arizona Federal Credit Union (AZFCU), she decided to take a fresh approach. To compete in this fast-moving industry, she stepped back and took a look at on how to enable speed and innovation, while keeping security as the top priority, and also without sacrificing cost efficiency.

Fast forward to today, and a peek at some of AZFCU’s services quickly demonstrates a forward-thinking customer-first credit union. Using their own apps on mobile and even wearable platforms, the credit union offers innovative services like CardPower to manage credit card security, Popmoney to easily send money via text, or Eyeprint ID for additional security.

Using VMware NSX and the Software-Defined Data Center (SDDC) model, AZFCU was able to modernize their data center and drastically reduce the time spent fighting fires and keeping the lights on, allowing them to shift to a renewed focus on their customers. Let’s look at what that really meant.

Application Continuity

Many IT organizations classify applications in tiers by how critical they are, giving critical applications better attention and higher availability. This is logical, but can also conflict with user expectations in a world where everything is expected to work all the time. Why should one have to choose which application will get high availability?

Using NSX, AZFCU was able to extend their networking and security services across multiple locations, resulting in a streamlined operation running over multiple active-active sites. When a set of resources fails, the application can be instantly recovered in an entirely different location, and with the same networking and security policies ready to go.

What did this mean for the business? Instead of only the privileged few applications being recovered during an outage, any application can be instantly recovered. Instead of a complete recovery taking hours, it takes minutes, or is actually instant. Leveraging resources across locations, new applications could be spun up in minutes or hours, not days or weeks.

“Security Comes First”

If a hacker considers a retail breach of credit card information a jackpot, then getting into a bank must be heaven. This means the increased number of breaches create immense pressure on banks, as their customers trust them to keep their money and data secure.

“It’s fine to be able to identify a data breach, but by then it’s too late,” says Hysell. “With VMware NSX, we can contain a breach and minimize the impact rather than letting it go and doing forensics later to determine what happened. And from a data governance perspective, we have much more visibility, so it’s much easier to conduct risk assessments.”

In addition to becoming more secure, Hysell found the teams able to move faster now that there was a common way to segment new applications appropriately based on some simple questions like whether user sensitive data is involved or not.

Agile Banking

With a new operational model of how applications are deployed, secured, and recovered, AZFCU’s business has seen a dramatically improved SLA for new services. They’ve moved from a reactive model, to a proactive model, allowing them to focus on differentiating innovation, like new ways to make mobile banking easier and more secure.

“With our new data center powered by VMware, we can say ‘yes’ a lot more often,” says Hysell. “Our internal customers are very happy.”

They also get top talent into the business.

“We’re able to attract and retain top IT talent because we’re giving them modern tools to do their jobs better,” says Hysell. “We can understand the health of our network from a single pane of glass. I get a report every day, so I worry a lot less.”

Learn More

Going to VMworld? Amy Hysell will join me in the breakout session Intro to NSX for Application Continuity (session ID NET1300BU). It will be held on Tuesday, August 29^th at 4:00 PM. Come see us!

More resources on the topic of Application Continuity with NSX:

• NSX Multi-site Options and Cross-VC NSX Design Guide
• VMware NSX and SRM: Disaster Recovery Overview and Demo
• 3 Ways Organizations Use NSX for Application Continuity

The post NSX-Powered Credit Union Shifts Focus to Speed and Innovation appeared first on Network Virtualization.

At VMworld 2016, we showed network virtualization has gone mainstream and that NSX is the sure-fire way for you to bring your data center into the future with unparalleled security, speed, and agility.

A year on, NSX is taking its show on the road, and its destination is… everywhere. Not satisfied to help you master only the data center, NSX is setting out to help you conquer the cloud, remote and branch offices (ROBO), and even containers. To help you get there, VMworld 2017 has 70+ networking and security sessions and 60+ NSX customers to show you the way forward firsthand. And as an added bonus, VMware will be launching an exciting new security product, to help ensure your applications stay secure!

So take a look at the list of the top, can’t-miss networking and security sessions below. You should also check out the schedule builder on VMworld.com to reserve your spot in the top networking and security sessions as well as to discover the whole range of introductory and deep dive NSX sessions covering the entire use case spectrum.

See you at VMworld US 2017!

The post Top 10 Networking and Security Sessions VMworld 2017 appeared first on Network Virtualization.

This year at VMworld 2017 we have a great agenda full of highly technical sessions around NSX.  Over the past few years NSX has expanded to meet a variety of use cases as our Content Catalog clearly shows. Based on the project your working on today, check out our recommendations for the best technical sessions for these specific NSX use cases:

1. General overview sessions
2. Security
3. NSX & Cloud Native Apps
4. Application Continuity
5. Automation
6. Design & Architecture

General NSX Sessions:

TS7003KU: Transforming Networking and Security for the Digital Era

Speakers: Milin Desai, Tom Corn and 3 customers

At a time when changes to technology are coming at us at a fast pace, how do customers meet and exceed business expectations? This session will focus on how customers are on their SDDC journey in context of network and security. Through the lens of the customer we will share what drives adoption, technology updates, team dynamics and becoming part of the overall business success.

NET3282BU: The NSX Practical Path

Speakers: Nikhil Kelshikar, Ron Fuller

We will share how customers have found value with NSX by getting started with one of the use cases around Security, Automation or App continuity. We will show demos of how one can create a security perimeter in a few simple steps, leveraging APIs and tools to drive automation and extending your network for DR.

NET3283BU: NSX Features Deep Dive

Speakers: Catherine Fan, Nicholas Furman

NSX is feature packed but you don’t need to use everything to realize your use case. We will show you (demos) how NSX features map to use cases. If you are a NSX user, you will learn what more could you be doing with NSX ..

NSX security focused sessions:

NET1932BU: Distributed Networking and Security Services; Deep Dive

Speakers: Jayant Jain, Anirban Sengupta

Hear from the engineers who are developing the product about how distributed services work in NSX. They will talk about why distributed services matter and how we deliver a full stateful services for security and networking.

SAI2803BU: Road to Micro-segmentation with NSX

Speakers: Stijn Vanveerdeeghem, Geoff Wilmington

Stijn and Geoff will walk you through the thought process which goes into create a micro-segmented security policy. We will show you some tools which can drastically reduce the time it takes to get there and makes micro-segmentation easy to implement. You will learn techniques on how NSX can give you full visibility to what is actually happening inside your data center.

NSX & Cloud Native Apps

NET1522BU: Kubernetes Networking with NSX-T Deep Dive

Speakers: Yves Fauser, Yasen Simenov

This session will cover the new and upcoming NSX-T and container networking integration with K8’s. The speakers (Yves and Yasen) will show you how this integration will work and the benefits of the NSX-T for next-gen apps.

NET1523BU: Integrating NSX and Cloud Foundry

Speakers: Sai Chaitanya, Usha Ramachandran (Pivotal)

This session jointly presented by VMware and Pivotal will show how NSX can simplify networking and security deployments for PaaS like Pivotal cloud foundry. We will share some PaaS fundamentals and demo how the integration looks like. You will not want to miss this session.

NSX – Application Continuity Sessions

NET1190BU, NET1191BU – Multi-site Networking with NSX (Part1, Part2)

Speakers: Humair Ahmed, Kent Munson (F5)

We had so much information we had to break this up into two parts to share best practices around multi-site networking and the cross vCenter features. We will be joined by F5 in session part 2 to share how global site load balancing can be used in conjunction with this great NSX functionality

NET1188BU: Disaster Recovery Solutions with NSX

Speakers: Justin Guirdina(CTO, iLand),  Humair Ahmed, Ian Allie (Dell EMC)

Hear from Justin on how iLand implemented DR with NSX. Ian will walk through how we worked to create a DR solution with Recover point and there will be lots of demos!

NSX – Automation Focus

NET2119BU: Bringing the power of PowerCLI to NSX for vSphere

Speakers: Dale Coghlan, Nicholas Bradford

This was one of the highest rated sessions at VMworld last year and you will want to attend to find out why. The session is one big demo with a lot of entertainment and learnings. PowerNSX can show you a whole new dimension of how you can manage and operate your NSX environment and doing tasks in seconds!

NET1853BU: Infrastructure-as-a-Service and Day 2 Automation of NSX for vSphere using vRealize Orchestrator and vRealize Automation

Speakers: Hiral Doshi, Aditya Gokhale

Hiral and Aditya will share what’s new with NSX and VRA Integration. We will introduce the NSX VRO plugins as well for day 2 workflows for automation

NET1338BU: VMware Integrated OpenStack and NSX Integration Deep Dive

Speakers Russ Starr Jr. (Cerner), Marcos Hernandez

Learn how Cerner leverages VIO and NSX for their OpenStack cloud. Marcos, who has helped many customers with this journey will share best practices.

NSX – Design and Architecture

NET1535BU, NET1536BU: Reference Design for SDDC with NSX and vSphere (Part1, Part2)

Speaker: Nimish Desai

This will be another double header session where Nimish will walk us through the NSX reference design. The audience will learn about the design decision points for NSX and the best practices we have learned based on the thousands of NSX deployments.

NET1836BU: NSX-T Advanced Architecture Concepts

Speaker: Francois Tallet

So you know about NSX for vSphere and are wondering what NSX-T platform is like, well you can come hear Francois walk us through the architecture and components of NSX-T.

These are just a handful of the catalog of NSX sessions at VMworld. You can search the session catalog here for more and pick your session of interest.

And wait we have a limited number of swag bags this year which will be given away in every session for attendees by the speakers.

We look forward to meeting you at VMworld!

The post NSX Sessions for the Geeks at VMworld 2017 appeared first on Network Virtualization.

Note, this is a reposting of the blog that I initially posted here on humairahmed.com. In a prior blog, VMware NSX and SRM: Disaster Recovery Overview and Demo, I described and demoed how VMware NSX and SRM with vSphere Replication combined provide for an enhanced disaster recovery (DR) solution. SRM also provides additional integration with NSX when Storage Policy Protection Groups (SPPGs) are used by providing the ability to automate network mappings. One of the great things about the NSX-v platform, is it can be used with any DR orchestration tool that supports the VMware vSphere ESXi hypervisor. Some of the tools customers are using with NSX include VMware SRM, Dell EMC RP4VM, Zerto, and Veeam. As SRM was discussed and demonstrated in a prior blog, Zerto and NSX together is explained in more detail below. 

For more details on Disaster Recovery with NSX, make sure to check-out the Disaster Recovery Solutions with NSX [NET1188BU] session at upcoming VMworld 2017 on August 28th. I will discuss DR with NSX and DR Orchestration tools (SRM, RP4VM, and Zerto) in more detail. Justin Giardin from iland will discuss how they use NSX and Zerto to provide DRaaS solutions. Additionally, Ian Allie from Dell EMC Enterprise Hybrid Cloud (EHC) will discuss how they use NSX and RP4VM to provide DR services for their customers.

Similar to vSphere Replication, Zerto provides the ability to replicate workloads at the VM-level. Zerto Virtual Manager (ZVM) is a standalone manager installed on a Windows workstation. The diagram below shows how ZVM is deployed within the management vCenter domain in a multisite Cross-VC NSX environment.

Figure 1: Example NSX + Zerto DR Deployment

Once ZVM is linked to the respective vCenter, a user can log-on ZVM using vSphere credentials. From the ZVM a Zerto Virtual Replication Appliance (VRA) can be installed on the desired hosts that have VMs that need to be protected.

Figure 2: Deploying Zerto VRAs

In Figure 3, it can be seen that there are four VMs in the Zerto Virtual Protection Group (VPG) being replicated/protected.

Figure 3: Four VMs in Zerto Virtual Protection Group

Similar to what was shown prior with SRM, Zerto can also ensure when a application or site failure event occurs the application(s) are recovered on the same network thanks to NSX logical networks spanning both sites and vCenter domains. In addition to the consistent networking across sites/vCenters, consistent security also exists. Thus, the end result is better recovery time objective (RTO) for applications as the IP address for the application does not need to change and security policies do not have to be manually replicated.

Figure 4 below shows how the default network mapping is configured within ZVM. By default, all workloads will failover to the respective default Failover Network upon actual failover and respective Failover Test Network when testing the Zerto DR plan.

Figure 4: Configuring Default Network Mappings in Zerto

As Figure 5 shows, different Failover Networks and Failover Test Networks can also be configured for each specific VM.

Figure 5: Configuring Network Mappings for Specific VMs in Zerto

An extremely valuable capability of leveraging NSX with DR Orchestration tools like SRM, RP4VM, and Zerto is the capability to test the DR plan without any disruption to the production network. NSX enables this by allowing for isolated test logical networks to be created easily with the same IP addressing scheme. The DR orchestration tools can then be configured to use the isolated test networks for realistic DR Plan testing. This is represented in the below diagram using Zerto.

Figure 6: Simplified DR Testing Using Test NSX Logical Networks

As mentioned prior, for more details on Disaster Recovery with NSX and DR orchestration tools like SRM, RP4VM, and Zerto, make sure to check-out the Disaster Recovery Solutions with NSX [NET1188BU] session at upcoming VMworld 2017 on August 28th.

The post Disaster Recovery with VMware NSX-v and Zerto appeared first on Network Virtualization.

Check-out the new white paper on leveraging NSX-V for security within the VxRAIL hyper-converged platform. The paper outlines how VxRAIL hyper-converged solutions leveraging NSX-V for security solves many of the security challenges with traditional silo-based architectures. A brief outline is provided below. Make sure to checkout the white paper for additional details. 

Figure 1 below shows a visualization of going from a traditional silo-based solution to a converged solution leveraging VxRAIL with NSX-V for security.  The optional NSX add-on provides security baked into the VxRAIL converged appliance allowing for a single pane of glass for managing workloads and their respective security policies.

Figure 1: Evolution to a Hyper-converged Design with VxRAIL + NSX

In addition to NSX-V complementing the hyper-converged architecture of VxRAIL, NSX-V security on VxRAIL provides for several use cases outlined below.

1. VDI with NSX-V Providing for Enhanced Security Services

In this security use case, the organization is utilizing VDI desktops and has a need to secure the VDI nodes and back-end services being utilized; for this NSX-V DFW is utilized as shown in Figure 2 below.

Figure 2: VDI with NSX-V Providing for Enhanced Security Services

2. Micro-segmentation for Applications

In this use case, the organization has multiple applications running within a VxRAIL environment and desires to provide enhanced security to the application by further segmenting the data center/network and providing security closer to the application via micro-segmentation.

Figure 3: NSX Micro-segmentation and Security for Applications Running on VxRAIL

Since NSX is applying security policies at the vNIC-level, NSX is agnostic to whether the security policies are for workloads on the same network or between networks as shown in Figure 4 and Figure 5. Additionally, unlike physical security appliances, there is no hair-pinning an external device.

Figure 4: NSX-V Micro-segmentation and Security Between Applications on Different Networks

Figure 5: NSX-V Micro-segmentation and Security Between Applications on the Same Network

3. DMZ Anywhere

In this last security use case, the organization is leveraging NSX-V to easily create a DMZ environment anywhere within the network simply by leveraging native NSX-V security capabilities.

Figure 6: NSX-V Providing DMZ Anywhere Architecture Leveraging NSX-V

Optionally, advanced 3^rd party security services with Palo Alto Networks, Check Point, etc. can be leveraged within the virtual environment leveraging the NSX-V network introspection framework as shown below in Figure 7.

Figure 7: NSX-V Providing DMZ Anywhere Architecture Leveraging NSX-V DFW and 3rd Party Security

For additional information/details make sure to checkout the white paper: Security for Hyper-Converged Solutions: Dell EMC VxRAIL Appliances – VMware vSAN Readymades with VMware NSX-V.

The post VMware NSX-V: Security for VxRAIL Hyper-Converged Solutions appeared first on Network Virtualization.

Get ready! NSX is hosting a major swag giveaway at VMworld as part of a celebration for everything our customers have accomplished in 2017! At various times throughout the conference, we’ll be on the prowl, looking for folks sporting NSX gear. If you’re spotted “in the wild” adorned with anything “NSX”, you could win some awesome swag and prizes. 

Join the hunt: show off your NSX pride (and your photography skills), and post photos of anything #NSX with the hashtag #NSXintheWild.  Winners will be chosen at random on the VMworld floor and online, so you never know when we might have you in our sights. But make no mistake – if you’re representing NSX in the wild, you’ll be a prime target for swag.

Pay it forward: If you happen to spot some cool NSX gear in the wild, snap a photo and tweet it out using the hashtag #NSXintheWild.  We hope you’ll join the fun and show off your NSX treasure. Your odds of winning some prizes will be much higher at VMworld if you do, as opposed to hitting the slots!

The post NSX Going Wild at This Year’s VMworld appeared first on Network Virtualization.

VMware’s Networking and Security Business Unit is excited to announce THREE NSX Guides being released for VMworld U.S. 2017! Our Guides are authored and technically reviewed by VMware subject matter experts and serve to cover VMware network and security essentials. These new guides follow our existing Day 1 Guide based on VMware NSX’s most popular use-case: Micro-segmentation.

VMware NSX Micro-segmentation: Day 1 Guide

Within VMware NSX Micro-segmentation: Day 1 Guide, you will find insights and recommendations proven to move an organization from a perimeter-centric security posture to a micro-segmented architecture with enhanced security and visibility within the data center. The Guide also details how to effectively design and implement a data center security strategy around micro-segmentation.

VMware NSX Micro-segmentation: Day 2 Guide

As a follow-up to Wade Holmes’ Day 1 Guide, Geoff Wilmington has published a day 2 operations guide – VMware NSX Micro-segmentation: Day 2 Guide. A deeper dive into micro-segmentation, Geoff’s Guide provides the knowledge you need to begin building a scalable methodology and planning for the applications you are going to secure. With step-by-step processes for using tools and products such as VMware Log Insight, Application Rule Manager, and vRealize Network Insight, you will be armed with practical information so that planning micro-segmentation is no longer an overwhelming task.

Operationalizing VMware NSX

To realize the full benefit of VMware NSX, Kevin Lees offers insight into optimizing the ongoing operations of VMware NSX in the data center. Kevin covers both tactical optimizations – such as tooling for monitoring and troubleshooting, and strategic organization – including team structure, culture, roles, responsibilities, and skillsets. You will find proven insights and recommendations for enhancing the way you organize and operate the environment, unlocking its full potential to provide the flexibility and agility your business requires.

Automating NSX for vSphere with PowerNSX

Anthony Burke, with help from fellow Aussies Dale Coghlan and Nick Bradford, published a Guide detailing PowerNSX. PowerNSX is a PowerShell module that abstracts the VMware NSX for vSphere API to a set of easily used PowerShell functions. This Guide will teach you what PowerNSX is and the flexibility and control that it brings. It will also provide an overview of PowerNSX architecture and functionality, and then focus on PowerNSX usage.

If you are attending VMworld U.S. 2017 and want to learn more, our authors will be signing and handing out promotional copies at the VMware booth at the following times (all times local):

Monday, August 28^th @ 12:30pm – PowerNSX (Dale & Nick)

Monday, August 28^th @ 4:30pm – Micro-segmentation Day 2 (Geoff)

Tuesday, August 29^th @ 11:30am – Micro-segmentation Day 1 (Wade)

Wednesday, August 30^th @ 11:00am – Operationalizing NSX (Kevin)

If you are attending VMworld EMEA, there will be copies being signed and handed out at the following times:

Tuesday, September 12^th@ 12:30pm – Micro-segmentation Day 1 (Wade)

Tuesday, September 12^th @ 6:00pm – Operationalizing NSX (Kevin)

Wednesday, September 13^th @ 1:30pm – PowerNSX (Dale & Nick)

Happy Reading!

The post Announcing Three New VMware NSX Guides! appeared first on Network Virtualization.

VMware NSX is a network virtualization and security platform for the enterprise that is helping our customers make the transition to the digital era.  As developers embrace new technologies like containers, and the percentage of workloads running in public clouds increases, network virtualization must expand to offer a full range of networking and security services, natively, in these environments.

Today, we are announcing the next version of NSX-T that can provide network virtualization for a multi-cloud and multi-hypervisor environment. The NSX technology that you are familiar with and use it for so many years is now be available for cloud and container environments. Circa VMworld 2016, we showed a prototype of NSX that can provide network virtualization and micro-segmentation for native AWS workloads. That journey is now complete and the initial availability of that service for some customers is already available for their AWS workloads.

NSX can now provide seamless network virtualization for workloads running on either VMs or Containers. VMs can be located either on-prem or on AWS. NSX will provide the entire feature set for either Vmware vSphere Hypervisors or KVM hypervisors. For native workloads on AWS, NSX will provide VMware NSX Secure Cloud to provide the same security and network virtualization that you would receive on your private cloud.

NSX-T as a platform has been purpose-built to be ready for Infrastructure-As -A – Service (IAAS) providers to provide self-service functionality to their users. Additionally, deploying it for on premise infrastructure can enable you to provide a self-service model. NSX-T is also built for Developer Ready infrastructure. It can automatically integrate with Kubernetes and Redhat Openshift (Platform-As-A-Service) PAAS model providing the much-needed network policy.

NSX-T contains both configurations and operational information built in. The operational state of the data center that is NSX enabled – whether in private cloud or public cloud – is available at the console. Based on our deployment experiences from the past – various parts of NSX-T has been optimized for east-west traffic between your applications.

In VMworld 2017, we will be providing an in-depth review of NSX-T architecture via breakout sessions, Hands on Labs to play with NSX-T  for both VMs and Containers. Please do attend those sessions and provide feedback to us on what you like and what features would you like us to incorporate in the future.

NET 1510BU: Introduction to NSX-T

Speaker: Andrew Voltmer, Dimitri Desmidt

Andrew and Dimitri will provide details on NSX-T platform and its capabilities across various environments.

NET1836BU: NSX-T Advanced Architecture Concepts

Speaker: Francois Tallet

So you know about NSX for vSphere and are wondering what NSX-T platform is like, well you can come hear Francois walk us through the architecture and components of NSX-T.

NET1522BU: Kubernetes Networking with NSX-T Deep Dive

Speakers: Yves Fauser, Yasen Simenov

This session will cover the new and upcoming NSX-T and container networking integration with K8’s. The speakers (Yves and Yasen) will show you how this integration will work and the benefits of the NSX-T for next-gen apps.

Hands on Labs :

HOL-1826-01-NET : This HOL will cover NSX-T support for virtual machines for vSphere and KVM hypervisors

HOL-1826-02-NET : This HOL will cover NSX-T and container networking integration with Kubernetes

These are just a handful of the catalog of NSX sessions at VMworld. You can search the session catalog here for more and pick your session of interest. Post-VMworld, we will be doing more detailed blog posts on NSX-T and its various functional capabilities.

The post NSX-T is here ! appeared first on Network Virtualization.

Hopefully, you have heard the news today! We couldn’t be more excited to announce the general availability of VMware AppDefense, our new security solution. AppDefense bolsters the micro-segmentations threat prevention capabilities delivered by NSX with data center endpoint threat detection and response. It’s no secret that organizations are spending more money than ever on security. It’s also no surprise that the only thing outpacing security spend are the losses due to security breaches. At VMware, we believe the struggle organizations face in gaining the upper-hand in this battle is due to a foundational architectural gap that creates misalignment between the infrastructure where security is applied and the applications that security is designed to protect.

NSX was the first step toward re-aligning network security policy with applications by leveraging the virtualization layer to enable micro-segmentation, as well as enhance the posture of other security solutions through integrations and features like service insertion and guest introspection. But applications are made up of both networks and data center endpoints like VMs. AppDefense is the other half of the puzzle. Whereas NSX prevents threats from moving freely throughout the network, AppDefense detects anything that does make it to an endpoint and can automatically trigger responses using through integration with NSX and vSphere. Prevent, detect, respond.

If you’re interested in taking a peek under the hood of AppDefense, check out this video, or take a look at the AppDefense website.

The post Introducing VMware AppDefense – Expanding beyond micro-segmentation to threat detection and response appeared first on Network Virtualization.

VMware Skyline™: an innovative support technology, developed entirely by VMware Engineering, that provides VMware technical support engineers with extreme visibility into your (customer’s) environment.

Customers with active support subscriptions install the VMware Skyline Collector, a standalone appliance that automatically and securely collects product usage data such as configuration, feature, and performance data.

It then listens for changes, events and patterns and analyzes the information using a robust rules and machine learning engine. The rules engine is where an ever-growing library of support intelligence, product knowledge, and logic is stored to analyze inbound streams of product information. Check out the video and the blog to learn more!

The post Introducing VMware Skyline™ appeared first on Network Virtualization.

co-author Geoff Wilmington

Traditional data center endpoint security products focus on detecting and responding to known bad behavior. There are hundreds of millions of disparate malware attacks, with over a million getting added every day.  In addition, there is the threat of zero-day attacks exploiting previously unknown vulnerabilities. It becomes a never-ending race to “chase bad” without ever staying ahead of the threat landscape.  What if we took an opposite approach to security?  What if, instead of  “chasing bad” we started by “ensuring good”?

VMware AppDefense is a new security product focused on helping customers build a compute least privilege security model for data center endpoints and provide automated threat detection, response, and remediation to security events. AppDefense is focused on “ensuring good” versus “chasing bad” on data center endpoints.  When we focus our attention on what a workload is supposed to be doing, our lens for seeing malicious activity is much more focused and as a result, we narrow the exploitable attack surface of the workload down to what we know about.

Changing The Way We Secure Compute

AppDefense applies the concept of “ensuring good” by using three main techniques:

Capture

AppDefense starts by capturing the intended state of an application and using machine learning to gather information about the runtime state of the application to get a full picture of the infrastructure.  AppDefense utilizes the unique properties of virtualization to provide enhanced application visibility.  The vSphere hypervisor can see both the intended state and the runtime state of a deployed application.

• Intended State – The purpose of an application and function it should perform.
  • Example –
    • A Web Server runs web services, or a Database Server runs database services.
    • The Web Server may have been built using vRealize Automation, Ansible, Puppet, or Chef.
    • The Web Server may have packages deployed from Maven or Jenkins.
  • Runtime State – An application placed into service will run the intended services and process and may require other processes and communications it needs to be fully functional.
    • Example –
      • A Web Server talking to an Application Intelligence Server or a Database Server.
      • The Web Server may also require services such as NTP, DNS, LDAP, etc. These processes and communications are identified as part of the running state once the machine is active and performing operations.

All of this information is collected into the manifest file and stored in a protected space in the vSphere hypervisor to be monitored against, prevent tampering, and alert on unexpected/unintended changes automatically.

Detect

AppDefense uses the unique virtualization property of strong isolation, utilizing the privileged position of the hypervisor to provide the best context for detecting anomalies.

Typical host-based security approaches fall into two traditional methods:

• Host-based Security –
  • Pro – Typically implemented with an in-guest agent, so context about what it’s protecting is exceptional.
  • Con – Typically implemented as an in-guest agent which is susceptible to being disabled as it runs in the same user space as most attacks.

The biggest pro about typical host-based security is its biggest con.  Attackers eventually start to attack the security software itself to disable it.  Since security software typically runs within the same trust domain as the attacker, there’s little it can do to protect the system and provide isolation.

• Hardware-based Security –
  • Pro – A networked piece of hardware that provides great isolation since it’s not typically in direct contact with the guest. This means it upholds is own trust domain which would have to be compromised in addition to the guest.  Two points of attack the attacker would have to pursue to be successful.
  • Con – A networked piece of hardware generally has no context of the guest and what’s going on. These systems would have to reverse engineer and spend heavy compute cycles to get context.  Most times, it’s guessing what to do.

Hardware-based security can provide great isolation.  It also provides an additional attack surface in which an attacker would possibly have to compromise to be successful.  The problem with hardware is the lack of context.  Most times they block or allow with no idea what the traffic is.  Next Generation Firewalls can provide benefits into context, but only on the wire and not without heavy computation engines to perform the tasks.

AppDefense resides in the hypervisor, which is a separate trust domain and has the ability to provide both context about the application and isolation as well.  The hypervisor has visibility into the guest from a privileged position while still maintaining disparate trust boundaries.

Respond

AppDefense uses the unique virtualization property of automation to provide automated responses to alerts that are triggered.  Virtualized infrastructure is fully capable of being automated.  It’s built entirely on software.  This means AppDefense can leverage the same properties we find with virtual machines, such as power off, suspend, and snapshot, for remediation tactics for malicious activity.

Traditional security tools require manual remediation for most tasks.  An administrator has to perform some action against the alert found.  This can delay and cause even wider damage to the infrastructure while waiting on a response.  AppDefense can take immediate action, based on a pre-defined security policy for any anomalies with confidence an anomaly is representative of malicious activity.

AppDefense Architecture

The AppDefense architecture is simple and has many integration points for optional configuration and automation engines to connect with it.

• AppDefense Manager – This is a multi-tenant, secured SaaS deployment engine that provisions the tenant Appliances for Management of the AppDefense components.
• On-Premises AppDefense Appliance – An OVF deployed virtual appliance that connects to vCenter and any other optional components for configuration and policy synchronization between the AppDefense Manager and on-premises components.
• vCenter Server – The vCenter Server that manages the hosts and clusters that applications run on which AppDefense will protect. This integration provides the API interface for AppDefense to connect to, to provide automated remediation’s using vCenter actions such as snapshot, poweroff, suspend.
• AppDefense Host Module – A software Virtual Installation Bundle deployed to all vSphere hosts AppDefense will protect. This module provides the trusted isolation within the hypervisor to store the manifests of context of the protected applications for AppDefense to monitor against.
• AppDefense Guest Module – The in-guest software module that communicates with the AppDefense Host Module to monitor the kernel integrity of the guest.
• NSX Manager (Optional) – The NSX Manager is an optional component used by AppDefense through API integrations to create a quarantine security policy within the NSX Manager. AppDefense leverages NSX security tags to provide automated remediation to quarantine an application based on AppDefense remediations.
• vRealize Automation (Optional) – Integrated with vRealize Orchestrator with connections to vRealize Automation, a tagging option can be placed on the applications in the machine blueprint to automatically place a new application into AppDefense scope.

AppDefense Supported Deployments

AppDefense currently supports following platforms:

AppDefense Requirements

Below are the initial minimum requirements for AppDefense:

AppDefense Functions

Using the unique properties of virtualization, AppDefense uses the capture, detect, and respond techniques to provide functionality the security administrator can use to capture known good configurations for functional whitelisting, detect anomalies against this known good configuration, and provide automated remediation of anomaly based malicious activity.  Let’s further review how AppDefense uses these techniques.

Capture and Building Application Scope

AppDefense begins by building a scope for an application.  A scope consists of the services and virtual machines that an application is made up of.  Once identified, AppDefense starts the capture process and gathers information on the behaviors of services and virtual machines.  As AppDefense undergoes the capture process, the administrator can see all of the behaviors that have been captured, down to the process level. This information is used to build a whitelist of the expected behaviors of the application to capture the runtime state of the application.  Once the capture process is complete, the administrator places AppDefense into “Verify and Protect” mode.  AppDefense now knows about all of the process and behaviors of the application and begins to monitor and protect against anomalies or deviations from the captured and verified whitelist.

Detecting Anomalies

When AppDefense is placed into verify and protect mode, any anomalies that deviate from the known good manifest is detected to be acted upon.  Since AppDefense knows how the application should be functioning, the attack surface is very narrow and easier to detect anomalies and deviations, with high confidence anomalies and deviations represent malicious activity.

If AppDefense detects an anomaly, it can provide a risk analysis of the anomaly for inspection. The Security Administrator can take a look at this analysis of the anomaly and either provide an automated remediation for it or even allow this behavior if it’s found to be a new known good process.  This makes AppDefense a powerful tool for not only finding anomalies but providing a quick remediation for process activity that needs to be allowed. Once the behavior is allowed, the process is placed into the whitelist manifest and is now an accepted behavior that no longer needs to be remediated.

Automating Remediation

Perhaps the most powerful capability of AppDefense is its ability to automatically remediate against anomalies representative of malicious activity.  A Security Administrator can now prescribe several remediation techniques in an automated fashion based on the application.  There are four main behaviors that AppDefense monitors:

• Inbound Communications – The whitelisted processes have specific inbound communication processes associated. Any new inbound communications from existing whitelisted processes or new processes can be automatically remediated against.
• Outbound Communications – The whitelisted processes have specific outbound communication processes associated. Any new outbound communications from existing whitelisted processes or new processes can be automatically remediated against.
• Enable Guest OS Integrity – The guest module looks at the kernel of the OS to ensure tampering is not allowed and also if it’s been tampered with. Any changes can be alerted and acted upon automatically.
• Enable Host Module Integrity – The host module that runs in the vSphere hypervisor is protected against tampering. Any changes can be alerted and acted upon automatically.

Each of these four behavior monitors has the following capabilities for automated remediation.

• Quarantine – When coupled with NSX, AppDefense can automatically quarantine an application to block all incoming and outgoing traffic from the virtual machine.
• Suspend – AppDefense uses the vCenter APIs to place the virtual machine in suspend mode.
• Power Off – AppDefense uses the vCenter APIs to power off the virtual machine.
• Snapshot – AppDefense uses the vCenter APIs to take a snapshot of the virtual machine.
• Alert – AppDefense sends an alert to the alarms interface in the AppDefense interface, but takes no other actions. This is a typical remediation for testing remediations.
• Block and Alert – AppDefense will send an alert to the alarms interface, and block subsequent anomalies that are identical.

AppDefense NSX Integration – Automated Quarantine

AppDefense has optional integration with the VMware NSX platform, specifically the Distributed Firewall and Service Composer capabilities.  Once AppDefense is connected to an NSX Manager, it automatically deploys a security policy, security group, and security tag for AppDefense to use.

The quarantine rule in AppDefense uses this integration with NSX to flag an application when an anomaly is detected when configured.  If an anomaly is detected and the rule is set to quarantine, AppDefense will use the NSX Manager APIs to attach the AppDefense security tag to the offending virtual machine.  This security tag is used as the inclusion criteria for the AppDefense quarantine security group which is used for blocking all inbound and outbound traffic with the AppDefense quarantine security policy.

AppDefense is a powerful new tool to build a least privilege compute model of security within data centers. AppDefense uses the unique properties of virtualization; Application Visibility, Isolation, and Automation to capture, detect, and respond to application activity in the data center.  Building a least privilege compute security model with traditional security products is difficult, as traditional security products alone do not provide the necessary combination of context, isolation, and automation.  AppDefense takes a new approach of  “Ensuring Good” versus “Chasing Bad” to make a least privilege compute model a reality.

The post Ensuring Good with VMware AppDefense appeared first on Network Virtualization.

 Following is how traffic would go from Web VM1 to App VM1.

1. Web VM1 (172.16.10.11) sends traffic to the gateway 172.16.10.1, as the destination (172.16.20.11) is in different subnet. This traffic traverses Web-LS and goes to Downlink interface of Local distributed router running as a kernel module on ESXi Host.
2. Routing lookup happens on the ESXi distributed router. Router has 3 logical interfaces (LIF) & 172.16.20.0/24 subnet is a Connected route. Packet is put on the LIF connecting to App LS.
3. Destination MAC lookup for MAC address of App VM1 is needed to forward the frame. In this case, App VM1 is also hosted on the same ESXi, we do a MAC address lookup and find a local MAC entry as highlighted in diagram above.
4. L2 rewrite is done, packet is put on App-LS and sent to App VM1.

Please note that the packet didn’t have to leave the hypervisor to get routed. This routing happened in kernel. Now that we understand the communication between two VMs (in different subnet) on same hypervisor, let’s take a look at the packet walk from Web VM1 (172.16.10.11) on ESXi to DB-VM1 (172.16.30.11) hosted on KVM.

 

Distributed Routing for VMs hosted on the different Hypervisors (ESXi & KVM)

 

1. Web VM1 (172.16.10.11) sends ICMP traffic to its default gateway 172.16.10.1, as the destination (172.16.30.11) is in different subnet. This traffic traverses Web-LS and goes to Downlink interface of Local distributed router on ESXi Host.
   

2. Routing lookup happens on the ESXi distributed router (DR). Router has 3 logical interfaces (LIF) & 172.16.30.0/24 is a directly connected route. Packet is put on the LIF connecting to DB LS. Following output show the DR on ESXi host and it’s routing table.

3. Destination MAC lookup for MAC address of DB VM1 is needed to forward the frame. MAC lookup is done and MAC address of DB VM1 is learnt via remote TEP 192.168.150.152. Again, this MAC/TEP association table was published by NSX Controller to the hosts.

4. ESXi TEP encapsulates the packet and sends it to the remote TEP with a Outer Src IP=192.168.140.151, Dst IP=192.168.150.152.

5. Packet is received at remote KVM TEP 192.168.150.152, where VNI (21386) is matched. MAC lookup is done and packet is delivered to DB VM1 after removing the encapsulation header.

 

A quick traceflow validates the above packet walk.

This concludes the routing components part of this blog. In the next blog of this series, I will discuss multi-tenant routing and connectivity to physical infrastructure.

Learn More

Get started with NSX-T Documentation

http://pubs.vmware.com/nsxt-11/index.jsp

The post NSX-T: Routing where you need it (Part 1) appeared first on Network Virtualization.