Professional Documents
Culture Documents
#SEC5775
Importance of Segmentation
About Segmentation
At a fundamental level the SDDC is about the:
Pooling of physical compute and storage into groups
Coupled with networks that allow for access to these resources
Administrative and kernel networks for ESXi shell access and operations like vMotion
APIs that allow us to interact with those resources
Usage
vSphere, Porticor
Create Encrypted iSCSI LUNs
Consume via Storage vSwitches
Porticor Solution
State of the art encryption
AES 256 / SHA 2 standards based
yet implemented with best-in-class
performance
Streaming, caching, stateless servers, cloud
scale solution
ESXi Hosts/Clusters
vSwitch/Port Groups to VLANs
Usage
vSphere, HyTrust
Identify vSphere assets
Label in HyTrust as PCI
VLANs inherited from Port
Groups
HyTrust
Multi-Tenancy Wizard
Phone: 650-681-8100
email: info@hytrust.com
Significant Risk of
Catastrophic Failure
Phone: 650-681-8100
email: info@hytrust.com
12
Phone: 650-681-8100
email: info@hytrust.com
14
15
NSX Architecture
Management Plane
vCD/vCAC
1:1
vCenter Server
NSX Manager
1:Many
Control Plane
NSX Edge
Distributed
Router
Controller
Data Plane
Security VXLAN DR DFW
NSX Edge
Services Router
16
vCD/vCAC
1:1
vCenter Server
vCD/vCAC
NSX Manager
vCenter Server
NSX Manager
Provisioning and
Provisioning and
demand Provisioning of
Infrastructure
Management of
Compute/Memory
Storage
VXLAN Preparation
Virtual Switch
(Compute/Storage/Network
)
Catalogue of applications
17
Network Services
Configuration
NSX Edge
Distributed
Router
Controller
Controller
Dynamic Routing
Scale Out
VXLAN - no Multicast
ARP suppression
Distributed Routing
18
NSX Edge
Services Router
ESX Host
Kernel Modules
NAT
Message Bus
DHCP
LB
VPN
19
vCD/vCAC
vSphere API
REST API
vSphere API
NSX Manager
vCenter Server
NSX Edge
Distributed
Router
Data Plane
Security VXLAN DR DFW
VIX API
vSphere API
REST API
Message Bus
REST API
Control Plane
Controller
REST API
NSX Edge
Services Router
20
VM2
VM3
VM4
VXLAN 5001
VTEP2 10.20.10.11
vSphere Host
vSphere Host
Controller
Cluster
VTEP3 10.20.11.10
VTEP4 10.20.11.11
vSphere Host
vSphere Host
Unicast Traffic
21
22
Compute Racks
Infra Racks
Edge Racks
Hypervisor
Modules
Controller, VC,
NSX Manager
On/off Ramp
WAN
Internet
Usage
WAN
Internet
Network
Fabric
VXLAN
L3
VXLAN
L2
VXLAN
VXLAN
VXLAN
802.1Q
Web Tier
VXLAN
.1Q
VXLAN
.1Q
App Tier
24
VXLAN
VXLAN
DB Tier
25
Benefits
Built into the Hypervisor
Line Rate Performance (15Gbps/Host)
Better compliance model
26
VM
VM
VM
VM
VM
VM
Benefits
VM
VM
VM
VM
VM
VM
VM
27
VM
No Choke Point
Scale Out
Enforcement closest to VM
Usage
NSX simplifies the steps for creating firewall rules used for
segmenting workload tiers and tenants
28
29
Usage
WAN
Internet
ESXi Clusters
VM
vCenter 1
(Up-to Max supported
VMs by vCenter)
vCenter 2
(Up-to Max supported
VMs by vCenter)
VM
Compute Racks
31
Edge Racks
Dynamic routing and overlay networks provide isolation needed for SDDC
resources to be consumed
Get hands on experience! Partner Hands On Lab with HyTrust, Catbird and
LogRhythm to go with VMware NSX Hands On Labs
Visit the HyTrust booth and Porticor online at http://www.porticor.com/porticor-forvmware/ for more information
32
33
Topic
NSX
NSX Firewall
NSX Service
Composer
Compliance
Other
5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird Jefferson radiology)
5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)
VMware Collateral
Partner Collateral
How to Engage?
compliance-solutions@vmware.com
@VMW_Compliance on Twitter
34
HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
HOL-SDC-1317
vCloud Suite Use Cases - Business Critical Applications
HOL-PRT-1306
Compliance Reference Architecture- Catbird, HyTrust and LogRhythm
Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall, Antivirus,
Logging and IPS in the SDDC with Allen Shortnacy
35
THANK YOU
SEC5775
NSX PCI Reference Architecture Workshop Session 1
- Segmentation
Allen Shortnacy, VMware
#SEC5775