SEC5775

NSX PCI Reference Architecture Workshop Session 1

- Segmentation
Allen Shortnacy, VMware

#SEC5775

SEC5775 - NSX PCI Reference Architecture

Workshop Session 1 - Segmentation
August 2013

2013 VMware Inc. All rights reserved

Importance of Segmentation

About Segmentation
At a fundamental level the SDDC is about the:
Pooling of physical compute and storage into groups
Coupled with networks that allow for access to these resources
Administrative and kernel networks for ESXi shell access and operations like vMotion
APIs that allow us to interact with those resources

Auditors rely on scope to define those items that should be audited

In the SDDC it is easy to declare that everything is in scope due to shared resources
We need effective tools to declare scopes and their usage as well as their join rules
For those workloads that serve business function we want coherent policies

Value Propositions of Segmenting with NSX

Reducing the scope of the infrastructure subject to audit will reduce audit costs
Leverage NSX to establish networks with policies that are transitive across datacenter
Clearly define and orchestrate VMware and Technology Partners to monitor layers

Four Steps to Segmenting the SDDC

vSphere and Networking
Hosts and Storage should also be segmented
VLANs may still be used but are not relied upon as a control mechanism
Dedicated cluster for SDDC Management VMs like vCenter, ActiveDirectory

Establish VXLAN for Workloads

Allows for Layer 2 subnets across compliant hosts/clusters
Provides routes to traverse from Layer 2 to other VXLAN and Edge Shared Services

Establish Zones for Shared Services, DMZ, etc. with Edge

Active Directory serving Enterprise users, DNS, Messaging, Email, etc.
Defining bastion host networks for access to administer these services

Establish Service Composer Firewall Policies

Firewall and other technologies, declaratively enabled, follow the workload
Workloads that come out of policy for any reason have access restricted

Step 1: Segment Storage for Consumption

Groups

vSphere Storage Networks

ESXi Hosts/Clusters to LUNs

Usage

vSphere, Porticor
Create Encrypted iSCSI LUNs
Consume via Storage vSwitches

Segmenting Storage with Encryption and dedicated vSwitches eases

consumption while maintaining compliance
6

Porticor Solution
State of the art encryption
AES 256 / SHA 2 standards based
yet implemented with best-in-class
performance
Streaming, caching, stateless servers, cloud
scale solution

Cloud key management - The

banker
Metaphor: a physical safety deposit box is
behind strong walls, and requires two keys
to open/lock: one for the customer, the other
for the banker
The secret sauce: split key and
homomorphic technology creates this in a
virtual environment

Key-splitting and Homomorphic Technology together deliver Trust

The Swiss Banker metaphor

Customer has a key, Banker has a key
Master key with Homomorphic key encryption
8

Demo: Create Encrypted iSCSI LUNs and Map to vSwitch

Step 2: Identify and Label vSphere Components

Groups

ESXi Hosts/Clusters
vSwitch/Port Groups to VLANs

Usage

vSphere, HyTrust
Identify vSphere assets
Label in HyTrust as PCI
VLANs inherited from Port
Groups

Identifying Hosts, Storage and Network Assets for compliance scope

is the initial step in Segmentation
10

HyTrust
Multi-Tenancy Wizard

2013, HyTrust, Inc. www.hytrust.com

| 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040

Phone: 650-681-8100

email: info@hytrust.com

With Great Power Comes Great Responsibility.

Significant Risk of
Catastrophic Failure

2013, HyTrust, Inc. www.hytrust.com

| 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040

Phone: 650-681-8100

email: info@hytrust.com

12

How HyTrust Protects VMware

2013, HyTrust, Inc. www.hytrust.com

| 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040

Phone: 650-681-8100

email: info@hytrust.com

Demo: Identify and Tag Core vSphere Asset Groups

14

PCI DSS 2.0 on VLANs and Segmentation

Relying on Virtual LAN (VLAN) based

segmentation alone is not sufficient. For
example, having the CDE on one VLAN and the
WLAN on a separate VLAN does not adequately
segment the WLAN and take it out of PCI DSS
scope. VLANs were designed for managing
large LANs efficiently. As such, a hacker can
hop across VLANs using several known
techniques if adequate access controls between
VLANs are not in place.

15

NSX Architecture
Management Plane

vCD/vCAC
1:1

vCenter Server

NSX Manager
1:Many

Control Plane

NSX Edge
Distributed
Router

Controller

Data Plane
Security VXLAN DR DFW

Security VXLAN DR DFW

Security VXLAN DR DFW

NSX Edge
Services Router

16

Management Plane Components

Management Plane

vCD/vCAC
1:1

vCenter Server

vCD/vCAC

Self service and on-

NSX Manager

vCenter Server

NSX Manager

Provisioning and

Provisioning and

demand Provisioning of
Infrastructure

Management of
Compute/Memory

Management of Network and

Network services

Abstracted pool of services

Storage

VXLAN Preparation

Virtual Switch

Logical Network Consumption

(Compute/Storage/Network
)

Catalogue of applications

17

Network Services
Configuration

Control Plane Components

Control Plane

NSX Edge
Distributed
Router

NSX Edge Distributed Router

Controller

Controller

Dynamic Routing

Scale Out

VXLAN VLAN Bridging

VXLAN - no Multicast
ARP suppression
Distributed Routing

18

Data Plane Components

Data Plane
Security VXLAN DR DFW

Security VXLAN DR DFW

Security VXLAN DR DFW

NSX Edge
Services Router

ESX Host

NSX Edge Services Router

Kernel Modules

NAT

Message Bus

DHCP

User World Agent

LB
VPN

19

Communication Between The Three Planes

Management Plane

vCD/vCAC
vSphere API

REST API
vSphere API

NSX Manager

vCenter Server

NSX Edge
Distributed
Router

Data Plane
Security VXLAN DR DFW

VIX API

vSphere API

REST API

Message Bus

REST API

Control Plane

Controller

REST API

Security VXLAN DR DFW

Security VXLAN DR DFW

NSX Edge
Services Router

20

VXLAN NSX for vSphere

VXLAN Transport Subnet A 10.20.10.0/24
VM1

VXLAN Transport Subnet B 10.20.11.0/24

VM2

VM3

VM4

VXLAN 5001

vSphere Distributed Switch

VTEP1 10.20.10.10

VTEP2 10.20.10.11

vSphere Host

vSphere Host

Controller
Cluster

VTEP3 10.20.11.10

VTEP4 10.20.11.11

vSphere Host

vSphere Host

VXLAN Transport Network

Unicast Traffic
21

Components Mapped to Physical Infrastructure

22

Compute Racks

Infra Racks

Edge Racks

Hypervisor
Modules

Controller, VC,
NSX Manager

On/off Ramp

WAN
Internet

Step 3 : NSX Distributed Edge VXLAN Networks

Groups

vSwitch/Port Groups to VLANs

NSX Edge VXLANs

Usage

Create vDS for VXLAN in vSphere

NSX Manager prepare hosts, add
logical networks and deploy Edges

NSX provides Distributed Logical Routers as well as Distributed

Services like Firewall through Edge deployments
23

Service Placement Distributed Design

WAN
Internet

Network
Fabric
VXLAN

L3

VXLAN

L2
VXLAN
VXLAN
VXLAN
802.1Q

Web Tier

VXLAN

.1Q

VXLAN

.1Q

App Tier

24

VXLAN

VXLAN

DB Tier

Demo: Create Segmented VXLAN Overlay Networks

25

Hypervisor Kernel Embedded Firewall

Benefits
Built into the Hypervisor
Line Rate Performance (15Gbps/Host)
Better compliance model

26

Distributed Virtual Firewall

VM

VM

VM

VM
VM
VM
VM

Benefits
VM

VM
VM
VM

VM

VM
VM

27

VM

No Choke Point
Scale Out
Enforcement closest to VM

Step 4: Establish NSX App Distributed Firewall Rules

Groups

vApp Patterns to Firewall Rules

NSX Edge Firewall Security Groups

Usage

vSphere create vDS for VXLAN

NSX Manager prepare hosts, add
logical networks and deploy Edges

NSX simplifies the steps for creating firewall rules used for
segmenting workload tiers and tenants
28

Demo: Create Firewall Policies For Controlling vApp Network Access

29

Step 4: Establish NSX App Distributed Firewall Rules

Groups

vSwitch/Port Groups to VLANs

NSX Edge VXLANs

Usage

vSphere create vDS for VXLAN

NSX Manager prepare hosts, add
logical networks and deploy Edges

NSX enables migration across segmentation policy controlled hosts

while maintaining routing and firewall rule consistency
30

Capex Value Expressed in Infrastructure Utilization

WAN
Internet
ESXi Clusters

VM

vCenter 1
(Up-to Max supported
VMs by vCenter)

vCenter 2
(Up-to Max supported
VMs by vCenter)

VM
Compute Racks

Infrastructure Racks (Storage,

vCenter and vCloud Director)

31

Edge Racks

Summary Value Achieved via Segmentation

Segmentation techniques provide uniform consumption of SDDC while
maintaining controls needed for compliance

Dynamic routing and overlay networks provide isolation needed for SDDC
resources to be consumed

Centralized Policy Management eases the administrative burden by providing

networking and firewall rules that are always in context

Reduced Audit Costs by providing controls of core SDDC elements such as

storage and compute bound to networks thereby limiting scope

Get hands on experience! Partner Hands On Lab with HyTrust, Catbird and
LogRhythm to go with VMware NSX Hands On Labs

Visit the HyTrust booth and Porticor online at http://www.porticor.com/porticor-forvmware/ for more information

32

VMworld: Security and Compliance Sessions

Category

33

Topic

NSX

5318: NSX Security Solutions In Action (201)

5753: Dog Fooding NSX at VMware IT (201)
5828: Datacenter Transformation (201)
5582: Network Virtualization across Multiple Data Centers (201)

NSX Firewall

5893: Economies of the NSX Distributed Firewall (101)

5755: NSX Next Generation Firewalls (201)
5891: Build a Collapsed DMZ Architecture (301)
5894: NSX Distributed Firewall (301)

NSX Service
Composer

5749: Introducing NSX Service Composer (101)

5750: NSX Automating Security Operations Workflows (201)
5889: Troubleshooting and Monitoring NSX Service Composer (301)

Compliance

5428: Compliance Reference Architecture Framework Overview (101)

5624: Accelerate Deployments Compliance Reference Architecture (Customer Panel) (201)
5253: Streamlining Compliance (201)
5775: Segmentation (301)
5820: Privileged User Control (301)
5837: Operational Efficiencies (301)

Other

5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird Jefferson radiology)
5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)

For More Information

VMware Collateral

VMware Approach to Compliance

VMware Solution Guide for PCI
VMware Architecture Design Guide for PCI
VMware QSA Validated Reference Architecture PCI

Partner Collateral

VMware Partner Solution Guides for PCI

How to Engage?
compliance-solutions@vmware.com
@VMW_Compliance on Twitter

34

Other VMware Activities Related to This Session

HOL:
HOL-SDC-1315
vCloud Suite Use Cases - Control & Compliance
HOL-SDC-1317
vCloud Suite Use Cases - Business Critical Applications
HOL-PRT-1306
Compliance Reference Architecture- Catbird, HyTrust and LogRhythm

Group Discussions:
SEC1002-GD
Compliance Reference Architecture: Integrating Firewall, Antivirus,
Logging and IPS in the SDDC with Allen Shortnacy

35

THANK YOU

SEC5775
NSX PCI Reference Architecture Workshop Session 1
- Segmentation
Allen Shortnacy, VMware

#SEC5775