© 2010 VMware Inc. All rights reserved Confidential VMware Security Briefing Dan Watson, Senior Systems Engineer, VMware VMUG, Edinburgh, Feb 24, 2011.

© 2010 VMware Inc. All rights reserved

Confidential

VMware Security Briefing

Dan Watson, Senior Systems Engineer, VMware

VMUG, Edinburgh, Feb 24, 2011

2 Confidential

2010 Milestone: Virtualization is Now De Facto Model

We are past a virtual tipping point!

VM Cross Over

2005 2006 2007 2008 2009 2010 2011 2012 2013

Source: IDC

Physical Hosts Virtual Machines

17,500,000

15,000,000

12,500,000

10,000,000

7,500,000

5,000,000

2,500,000

84% of all virtualized applications in the world run on VMware.

Gartner, December 2009

3 Confidential

Virtualization Paves the Way to a New Era in IT

Mainframe

PC / Client-Server

WebCloud

Cloud Computing will transform the delivery and consumption of IT services

Virtualization

4 Confidential

Security Journey to the Private and Hybrid Clouds

“Air Gapped” Pods Mixed Trust Hosts Secure Hybrid Cloud

HYPEREALITY

Public Cloud

FUTURE

5 Confidential

ENTERPRISE DATA CENTER SECURITY & NETWORKING TODAY

vSphere

Users

Sites

BackendServices

- Network Segmentation, Firewalls, IDS/IPS- Server A/V Agents- App | data | identity aware security, compliance

- DMZ firewall, NAT, IPAM, VR- Site and user VPNs- Web load balancers

- Desktop A/V Agents- DLP, FIM, white listing

DMZ

Web

View

6 Confidential

VMware’s Security Vision for Secure Clouds

Virtualize Security into Security VMs (SVMs), including partner offers

Unify security into a programmable, trust zone/policy framework

Encapsulate and standup secure vApps, VDCs on demand

Secure the virtualization stack – Infrastructure, Apps, End Users

Bring the benefits of Cloud Computing to the Enterprise, via Secure Hybrid Clouds

“Disruptively Simplified” Security

7 Confidential

First Priority is to Virtualize Security Infrastructure

Apps / DB TierDMZ

Users

Sites

Web Servers

1. Virtualize and consolidate security functions into the hypervisor

2. Leads to a much simplified, agile architecture

8 Confidential

Secure vApps simplify Cloud Deployments

Users

Sites

Secure IaaS

IaaS = It’s About Apps Stupid!

Secure vApp

9 Confidential

VMware vShield Partners

VMworld 2010 Launch

10 Confidential

2010 – Introducing vShield Products

VMware vSphere + vCenter

Securing the Private Cloud End to End: from the Edge to the Endpoint

Edge

vShield Edge

Secure the edge of the virtual datacenter

Security Zone

vShield App

Application protection from network based threats

Endpoint = VM

vShield Endpoint

Enables offloaded anti-virus

Virtual Datacenter 1 Virtual Datacenter 2

DMZ PCI compliant

HIPAA compliant

Web ViewVMwarevShield

VMwarevShield

VMware vShield Manager

11 Confidential

vShield Endpoint – Efficient Anti-Virus for Virtual Servers and Desktops

VMware vSphereIntrospection

SVM

OS

AV

VM

APP

OSKernel

BIOS

VM

APP

OSKernel

BIOS

VM

APP

OSKernel

BIOS

Features• Offload guest A/V to Security VM (SVM)

• File-scanning engines and virus definitions• On-demand and on-access scans

• Security VM delivered by leading AV partners• Enforce remediation using driver in VM • Policy and configuration Management: through UI

or REST APIs• Logging and auditing

Benefits• Improve performance by offloading anti-virus

functions in tandem with AV partners• Avoids AV storms (I/O spikes, cpumem utilization)• 90% reduction in guest footprint• Reduce risk by eliminating agents susceptible to

attacks and enforced remediation• Satisfy audit requirements with detailed logging of

AV tasks

12 Confidential

• Multiple edge security services in one appliance• Stateful inspection firewall• Network Address Translation (NAT)• Dynamic Host Configuration Protocol (DHCP)• Site to site VPN (IPsec)• Web Load Balancer

• Network isolation(edge port group isolation)• Detailed network flow statistics for chargebacks, etc• Policy management through UI or REST APIs• Logging and auditing based on syslog format

vShield Edge - Secure the Edge of the Virtual Data Center

Features

Benefits• Lower cost and complexity by eliminating multiple

special purpose appliances• Ensure policy enforcement with network isolation• Scaleout architecture with one edge per org/tenant• Programmable interfaces enable automation• Rapid provisioning of edge security services• Simplify IT compliance with detailed logging

VMware vSphere

Tenant A Tenant C Tenant X

VMware

vShield Edge

VMware

vShield Edge

VMware

vShield Edge

VPNLoad balancerFirewall

13 Confidential

vShield App - Application Protection for Network Based Threats

Features

• Hypervisor-level firewall • Inbound, outbound connection control applied at

vNIC level• Elastic security groups - “stretch” as virtual machines

migrate to new hosts• Robust flow monitoring • Policy Management

• Simple and business-relevant policies• Managed through UI or REST APIs

• Logging and auditing based on industry standard syslog format

14 Confidential

PCI Compliant DMZ PCI Compliant

TODAY

With vShield AppMixed trust hosts with virtual

isolation and segmentation

VMware vSphere vCenter

vShield App enables Mixed Trust Zones!

“Air gap”

15 Confidential

Leveraging vShield App for Better-than-Physical Security

Key Benefits

• Complete visibility and control to the inter VM traffic enabling mixed trust zones on same ESX cluster

Better than Physical

• Distributed virtual firewall with scaleout port density

• Hypervisor level introspection provides access to inter-VM traffic

• Intuitive trust zones leverage vCenter inventory; independence from physical network segmentation or re-configuration

• Security policies follow the VMs

• Built in firewall capabilities provide better than physical security at 1/3rd the cost

Securi

ty

Policy

16 Confidential

3 Use Cases are Emerging…

1. App / Server protection in vSphere environments

2. Protection of View environments

3. Private and hybrid vCloud security

17 Confidential

Use Case #1: Securing Business Critical Applications

VMware vSphere + vShield

DMZ Finance

FinanceDevelopment

DevelopmentRequirements

• Deploy production apps in a shared infrastructure with:• Traffic segmentation between applications • Improve consolidation ratios• Authorized access to applications by LOB• Monitor, secure inter-VM communications• Maintain security policies with vMotion• Comply with various audit requirements

VMware

vShield App

18 Confidential

Securing vSphere with Physical Security Solutions Today

Customers cannot realize true virtualization benefits due to security concerns

VIRTUALIZED DMZ WITH FIREWALLS

APPLICATION ZONE DATABASE ZONEWEB ZONE

ENDPOINT SECURITY

INTERIOR SECURITY

PERIMETER SECURITY

Internet

vSphere vSphere vSphere

• Air Gapped Pods with dedicated physical hardware

• Mixed trust clusters without internal security segmentation

• Configuration Complexity– VLAN sprawl – Firewall rules sprawl– Rigid network IP rules

without resource context

• Private clouds (?)

19 Confidential

Use Case #1: Solution with vShield App

Features

Hypervisor-level firewall - inbound, outbound connection control applied at vNIC level Elastic security groups - “stretch” as virtual machines migrate to new hosts Robust flow monitoring; logging and auditing based on industry standard syslog format Policy Management - simple and business-relevant policies Programmable - managed through UI or REST APIs, enabling script-based automation

20 Confidential

Use Case #2: Secure View Deployments

Solution - vShield Endpoint+App+Edge

• Improve performance by offloading AV processing • Reduce costs by freeing up virtual machine resources

and eliminating agents• Improve security by streamlining AV functions to a

hardened security virtual machine(SVM)• Protect View application servers from threats• Demonstrate compliance and satisfy audit requirements

with detailed logging of offloaded AV tasks

Requirements

• Support thousands of internal and external View users with:

• Comprehensive security for View servers• Anti virus agents to protect client data and

applications• Optimal performance and scalability• Protection between desktop VMs and internal

serversVMware vSphere + vShield

DMZ View Desktops

Remote User Local User

Public Network

Private Network

VMware

vShield App

Virtual Servers

21 Confidential

Use Case #2 Solution: vShield Edge, App, and EndPoint

vShield solutions secure View deployments within virtual

desktops, for internal applications, and the network

perimeter .

SERVERFARM

22 Confidential

Use Case #3: Service Provider - Multi-Tenant Hosting Service

Company A Company B

VMware vSphere + vCenter + vShield

Company A Company B Company C

Company C

Solution – vShield Edge, VMware Cloud Director

• Guarantee full confidentiality and protection of tenant apps and data with built-in firewall and VPN

• Use enterprise directory services for security policies• Accelerate compliance by logging all traffic information

on per-tenant basis• Lower cost of security by 100+% by eliminating purpose

built appliances and by increasing utilization and VM density

Requirements

• Host thousands of tenants in shared infrastructure with:• Traffic Isolation between the tenants• Protection, confidentiality of tenant apps and data• Integration with Active Directory• Compliance with various audit requirements

Cisco VPN Juniper VPN

VMware VPN

Vmware vCloud Director

vShield

Edge

NOTE: Private Cloud is a simplified version of the

Service Provider Use Case

23 Confidential

vShield for vCloud Director

vCloud Director

Organization

vApp

vDC2

NAT, DHCP, Firewall

Deploy Orgs, vDCs

Secure the perimeter

Connect Remote vDCs - Secure VPN Access

Scale out web servers - Load Balancer

Defense-in-depth for sensitive apps – vShield App

Efficient endpoint protection – vShield Endpoint

vDC1

SECU

RE

VPN

Security as a service

Automated (scripts), RESTful API’s

Managed by IT

24 Confidential

Private & Partner vClouds = Secure Hybrid Cloud Computing

Public Cloud

VDC Silver

ResourcePools

ResourcePools

ResourcePools

ResourcePools

ResourcePools

ResourcePools

Private Cloud

Secure VPN

VMwarevCloud

DatacenterService

Secure the VM i.e. Lockdown the virtual server

Secure the vAppi.e. Protect your IP

Secure the VDCi.e. Protect the logical perimeter

25 Confidential

Vision: Disruptively Simplified Secure Private & Hybrid Clouds

App

EndpointEndpoint

Vmware vSphere

Security Services

1. Standup zoned vApps on vSphere

2. Standup secure View VMs on demand

3. Standup vApps in multi-tenant vCloud VDC

4. Standup Spring vApps on vCloud

Finance vAppSECURE VPN

SECURE VPN

Edge

App

Endpoint

View VDC

External vCloud

Spring vApp

Edge

Spring Framework

Edge

App

EndpointEndpoint

vCloud VDC

Partner vCloud

26 Confidential

Vision: Comprehensive Security across the VMware Stack

Layer 2

Layer 3

Layer 1Cloud

Infrastructure

Cloud

Application

Platforms

End User

Computing

Man

ag

emen

t & O

rch

estration

PaaS, SaaS

Data

EnterpriseApps

Web 2.0Apps

Sec

urity M

anag

emen

t

Co

mp

lian

ce

Policies

Events

Edge Sec

AppSec

DataSec

VI Sec

EndPt Sec

IdSec

Trust Sec

IaaS

DesktopVMs

ServerVMs

vSphere

VMware & Partners

27 Confidential

The Emerging Security Ecosystem…

NetSec

Physical Network

vSphere & vCenter

EPSec

vShield – Security APIs

vCloud Director – Security Self-Service

vShield SDK- Ecosystem…

5 Security Services

vShield Manager 4 vShield Manager

EndPoint App Edge 2 Security VMs

1 Virtual Infrastructure

3 Security EnginesAV DLP FW IDS FW VPN

… … …

SEVERAL INTEGRATION POINTS

28 Confidential

Summary: Security Journey to the Cloud

Service Provider

Tenant A Tenant B

Tenant A

WEB APP

vSphere vSphere

Internet

WEB APP DB

Air Gapped Pods Mixed Trust Zones Secure Hybrid Clouds

29 Confidential

Thank youQuestion & Answer Session