Scribd
Upload
6 views

ANSB2240LV - Security Reference Design for VMware Cloud Foundation

Uploaded by

wpera
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

ANSB2240LV - Security Reference Design for VMware Cloud Foundation

Uploaded by

wpera
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 49

n.

ti o
ib u
i s tr
red
ANSB2240LV
o r
ion
Security Reference a t
blic
pu
Design for VMware fo r
ot
N
Cloud Foundation tent:
on
4 C
0 2
E 2
OR
Pooja Patel
Director, Broadcom
P L
EX
a r e
w
VM
#vmwareexplore #ANSB2240LV
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 1
Disclaimer
n.
• Certain information in this presentation may outline Broadcom's general product direction. ti o
i b u
i s r its
tor
e
licensees under any existing or future license agreement or services agreementrrelating
d to any
• This presentation shall not serve to (i) affect the rights and/or obligations of Broadcom

or
Broadcom software product; or (ii) amend any product documentation ornspecifications for
a t io
lic
any Broadcom software product.
b
u allocations and is subject to change
• This presentation is based on current information and resource p
or withdrawal by Broadcom at any time without notice.for
o t
t : N or functionality described in this presentation
n
• The development, release and timing of any features
remain at Broadcom's sole discretion. nte
C o
• Notwithstanding anything in this2 4presentation to the contrary, upon the general availability of any
2 0 referenced in this presentation, Broadcom may make such
E
future Broadcom product release
R
O licensees in the form of a regularly scheduled major product release.
release available to new
L
XPbe made available to licensees of the product who are active subscribers
• Such releaseEmay
a re maintenance and support, on a when and if-available basis.
to Broadcom
M w
•VThe information in this presentation is not deemed to be incorporated into any contract.
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 2
n.
ti o
Agenda ib u
Introduction
i s tr
r red
VCF Deployment Models Review
n o
a t io
Securing VCF VI Workload Domain
blic
pu
Securing VCF Management Workload f o r Domain
ot
t : N
NSX Application Platform
t e n
o n
4
NSX FederationC in VCF Security Considerations
2 02
RE
Conclusion
O
X PL
e E
a r
w
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 3
n.
ti o
ib u
i s tr
r red
n o
a t io
blic
pu
Introduction for
t
t: No
te n
on
4 C
0 2
E 2
LOR
X P
e E
a r
w
VM
4
Top of Mind Security Concerns
n.
ti o
ib u
i s tr
Rapidly Evolving Cyber Threats – How r e dto Future-Proof
o r
i o n
c a t
l i
bCompliance Mandates & Audits
How to Address
pu
f o r
o t
N
t: Lack of Visibility and Insights
te n
on
4 C
0 2
E 2 How to Operationalize at Scale
L OR
X P
e E
a r Complexity of Managing Point Solutions
w
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 5
Cyber-Resilient Private Cloud
n.
ti o
ib u
tr
Live Behavioral On-demand
Analysis IRE
i s
red
Purpose-Built or
Confident recovery from existential threats

ion
Lateral IDS/ NTA/ Malware
Quick recovery with guided automation
Recovery Security IPS NDR Prevention
t
a
Simplified recovery operations

bli c
pu
fo r
t
No
Strong distributed lateral security
Advanced
nt:
Signature and behavior-based detection

Security
te
Data exfiltration avoidance

n
Co
Zero-day threat detection

2 4
2 0
Hardened OR E Defense in depth at every layer

P
Infrastructure L Automated patch management

X
COMPUTE STORAGE NETWORKING MANAGEMENT

E
Flexible security policies and controls

re
Platform Hardening

w a
V M VMware vDefend

VMware Live Recovery

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 6
vDefend Firewall Stack
n.
ti o
ib u
AI Powered Threat Analytics
i s tr
r red
n o
Comprehensive Lateral Security
a t io
blic App Discovery
Security Intelligence p u
f o r
Visibility | Firewall Planning | Network Traffic Analysis
Security Analytics

o t Rule Recommendations

t : N
t e n Ransomware Prevention
Advanced Threat
o n Prevention
C
Malware Prevention
4
IDS/IPS| Malware | Sandboxing | NDR |

0 2 Vulnerabilities

E 2
R Micro Segmentation

P LOFirewall
Distributed Gateway Firewall Segment Zones
E X
a r e
w
VM Virtual Machines Containers Bare Metal Servers

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 7
vDefend Firewall – Unique Advantages for VCF
Overview n.
Product Capabilities
ti o
ib u
tr
• Stateful layer4 access controls
• Layer 7 Controls with App-ID/FQDNs i s
dAD based, RDSH)
r
• Identity Firewall with UserID ( Microsoftr e
o
nand Sandboxing
• IDS/IPS, Malware Prevention
t
• Analytics platform foraflow
i o
b l i c visibility and threat investigation

p u
• Support for VM, Container and Bare Metal Workloads

f o r
t
No
VM1 VM2 VM3

nt: Our Unique Advantages for VCF


ESXi ESXi

n te •
o
Plug and play with VCF private cloud
C
24
• Centrally managed from a unified console

20
VM VM VM
• Agentless enforcement at each vNIC in the hypervisor

RE • Elastic scale out as applications scale


O
PL
ESXi ESXi
• No specialized hardware, no hair pinning or sensors/taps
EX •
e
Firewall moves along with the VM
a r
w
• Multi-site/Federation support

VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 9
n.
ti o
ib u
i s tr
r red
n o
a t io
VCF Deployment Models blic
pu
Review for
t
t: No
te n
on
4 C
0 2
E 2
LOR
X P
e E
a r
w
VM
11
VCF Architectures
Consolidated vs. Standard n.
ti o
ib u
1 Consolidated 2 Standard
i s tr
r e d
Management Domain Management Domain
o r
Virtual Infrastructure Domains

ion
Infrastructure cluster Customer Infrastructure cluster
c a t
workloads
bli
pu
fo r
t
No
Optional

nt:
Optional Optional

n te
4 Co
0 2
E 2
L OR
X P Optional

e E
a r
w
One WLD: Infrastructure VMs and customer A Mgmt WLD for infrastructure VMs and several Virtual Infrastructure
VM
workloads run in the same domain (VI) WLDs for customer workloads

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 12
VCF Architectures
Single Site Deployment (Standard Architecture) – Shared NSX Manager for VI WLDs n.
ti o
ib u
i s tr
Management Domain VI Workload Domain 1
r red
n o
Management is a self contained NSX
io
vSphere Cluster 1 vSphere Cluster 2

t Domain with NSX Managers


vSphere Cluster 1

Management
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS a APP

lic Management
OS

b
NSX Managers Domain is dedicated to
u
Domain vCenter

p
NSX NSX running infrastructure management
NSX Edge
Management is a self contained NSX Domain with NSX Managers
fo r
Edge
workloads
t
SDDC Edge

No
Manager ESXi ESXi ESXi ESXi Production compute workloads run in a VI
Management Domain is dedicated to running infrastructure management workloads
nt: WLD and are managed by separate vCenter

te
NSX Manager Boundary
servers
VI Workload 1
on
C
Production compute workloads run in aVIVIWorkload Domain
WLD and are managed VI Workload
2 by separate Domain3
vCenter servers
Single NSX Domain for consistent security
Domain vCenter

2 4 vSphere Cluster 1 vSphere Cluster 1 and networking across multiple VI WLDs


VI Workload
NSX ManagersSingle NSX Domain 2for consistent
2
security 0
VDIand networking
APP
VDIacross multiple VI WLDs
APP APP APP

E
Domain vCenter VDI VDI Extendable to Multi AZ or Multi VCF
OS OS OS

OR
OS
Instances using NSX Federation
L
NSX NSX

P
VI Workload to
Extendable 3 Multi AZ or Multi VCF Instances using NSX Federation
Edge Edge

X
Domain vCenter Shared Security grouping and tagging

e E constructs

ar
Shared SecurityESXi
grouping and tagging
ESXiconstructs ESXi ESXi
ESXi ESXi ESXi ESXi

Mw
Scale from 100 up to 1000 ESXi hosts

V Scale from 100 up to 1000 ESXi hosts


Single VCF Instance - Single Region

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 13
VCF Architectures
n.
Single Site Deployment (Standard Architecture)- Dedicated NSX Manager for each VI WLD
i o
t
tr ibu
i s
Management Domain VI Workload Domain 1
r red
n o
Management is a self contained NSX
io
vSphere Cluster 1 vSphere Cluster 2

t Domain with NSX Managers


vSphere Cluster 1

Management
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS
APP
OS a APP

lic Management
OS

b
NSX Managers Domain is dedicated to
u
Domain vCenter

p
NSX NSX running infrastructure management
NSX Edge
Management is a self contained NSX Domain with NSX Managers
fo r
Edge
workloads
t
SDDC Edge

No
Manager ESXi ESXi ESXi ESXi Production compute workloads run in a VI
Management
NSX Manager Domain is dedicated to running infrastructure management workloads
Boundary
nt: WLD and are managed by separate vCenter

te
servers
VI Workload 1
on
C
NSX Managers
Domain vCenter
VI Workload
Production compute workloads run in a VI WLD and are managed DomainvCenter
by separate 2 servers
Single VCF Instance with multiple

2 4 independent VI WLD/NSX Domains


0
vSphere Cluster 1

NSX Manager Boundary 2


Single VCF Instance with multiple independent VI WLD/NSX Domains

EVDI VDI VDI VDI VDI VDI VDI VDI Extendable to Multi AZ or Multi VCF

OR
Instances using NSX Federation
L
VI Workload 2 NSXVCF Instances using NSX Federation
P
NSX Managers Extendable to Multi AZ or Multi
Domain vCenter

X
Edge Multiple NSX Domains = Multiple groups

e E with isolated change windows

ar
Multiple NSX Domains = Multiple
ESXi groups with isolated
ESXi changeESXi
windows ESXi
ESXi ESXi ESXi ESXi

Mw
Scale from 100 up to 1000 ESXi hosts

V Scale from 100 up to 1000 ESXi hosts


Single VCF Instance - Single Region

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 14
Reference Slide
VCF Architectures
Multi Availability Zone (AZ) Deployment using stretched Clusters n.
ti o
ib u
i s tr
Management Domain
r red
n o
A vSphere Cluster with vSAN Storage that
io
Stretched vSphere Cluster 1
Management

t
NSX Managers spans multiple Availability Zones (AZ) where
a
Domain vCenter NSX

lic
Edge each Availability Zone constitutes a Failure
b
SDDC

u
Domain.
p
Manager
NSX Manager Boundary

fo r The stretched cluster retains vSphere HA


t
VI Workload 1

No
NSX Managers and DRS functionality allowing for a fully
Domain vCenter
automatic recovery from an Availability

nt: Zone failure

te
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi

on vSAN witness node is required


C
24
VI Workload Domain Management Domain cluster must be

2 0 Stretched vSphere Cluster 1 stretched prior to stretching any VI WLD


APP APP APP APP
REAPP APP APP APP APP APP APP APP
vSAN clusters

O
PL
OS OS OS OS OS OS OS OS OS OS OS OS
Stretch other vSAN clusters as needed for
NSX
EX availability
Edge

a r e
w
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi

VM Availability Zones 1 Availability Zones 2


Single VCF Instance - Single Region
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 15
VCF Architectures
Multi VCF Instance Deployment using NSX Federation n.
ti o
ib u
tr
NSX Federation

i s
Management Domain VI Workload Domain 1 VI Workload Domain 1 Management Domain
r red
n o
Multiple VCF Instances connected via NSX
io
vSphere Cluster 1 vSphere Cluster 1 vSphere Cluster 1 vSphere Cluster 1
APP APP APP APP
a t Federation for single pane of glass policy

lic NSX Federation extend compute pooling


NSX Managers NSX Managers
OS OS OS OS management and Disaster recovery

u b
p
APP APP APP APP

r
NSX OS OS OS OS NSX

fo
SDDC SDDC
Edge Edge across NSX Domains
t
Mgr Mgr

No
APP APP APP APP
Management OS OS OS OS Management Federate VI WLDs or Mgmt WLDs for same
Domain vCenter
APP APP APP
nt:
APP Domain vCenter or different WLDs
NSX Manager Boundary OS OS

n
OS
teOS
NSX Manager Boundary

o
Manual NSX Federation deployment

C
NSX NSX
process following VMware Validated
4
NSX LM Edge Edge NSX LM

0 2 Solutions (VVS) guidance

E 2 Note: Multi VCF Instances using NSX

OR
NSX GM (A) Federation is enabled per NSX Domains,
L
NSX GM (S)

P
not for the whole VCF Instance

EX
a r
VI Workload 1
e ESXi ESXi ESXi ESXi
VI Workload 1

w
Domain vCenter Domain vCenter

VM
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi
Increased Firewall Scale in NSX 4.2
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
https://configmax.esp.vmware.com
VCF Instance – Region
All Rights A term “Broadcom” refers to Broadcom Inc. and/orVCF
Reserved. The Instance – Region B
its subsidiaries. 16
Where Can vDefend Firewall Be enabled?
n.
ti o
ib u
i s tr
NSX is a requirement for vDefend firewall. r red
n o
a t io
l i
vDefend Firewall is supported on all VCF and non-VCF deployments
b c where NSX is
enabled.
pu
o r
fbackings (VLAN Segment, Overlay
vDefend firewall can be enabled on all network ot
Segment, VLAN DVPG) t: N
te n
n
otraffic in Management as well as VI workload
vDefend firewall can secure E-W
4 C
domains 0 2
E 2
vDefend can be L O R
enabled on Tanzu clusters to secure E-W traffic between VMs, Pod
X P
VMs and Containers Pods
e E
a r gateway firewall can be enabled to secure N/S traffic to other
w
vDefend
M
V
zones/physical devices in the DataCenter
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 17
New in VCF 5.2
Distributed Security for Any Network Attachment Type
NSX on DVPGs n.
Management Domain
ti o
ib u
tr
NSX SDDC

i s
Managers Managers

r red
n o
io
wld01-vcenterwld02-vcenter wld03-vcenter

a t
lic
Upstream Network

u b
VDS - 1
r pVDS - 2 VDS - 3

fo
DVPG DVPG DVPG

t
No
Overlay Segment Overlay Segment

VLAN Segment
nt: VLAN Segment

n te
C o
2 4
2 0
E
L OR
X P
e E
a r NSX Fabric NSX Fabric

w VI WLD 1
VM
VI WLD 2 VI WLD 3

Shared NSX per workload domains Dedicated NSX per WLD


Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 18
n.
ti o
ib u
i s tr
r red
n o
a t io
Securing VCF VI Workload blic
pu
Domain r
t fo o
t: N
te n
on
4 C
0 2
E 2
LOR
X P
e E
a r
w
VM
19
Journey to Zero Trust
n.
ti o
ib u
i s tr
r red
n o
Secure Secure atio Elevate
Infrastructure Secure Zones
b lic
Applications Ransomware
u Defense

fo rp
t
No
Grouping and Tagging of Implement Environment Discover application Enable E-W IDS/IPS
Environments and Segmentation Policies grouping and
Infrastructure
nt: communication paths Enable Malware and
te
using Security Sandboxing Controls
on Intelligence
C
Protect critical

24
infrastructure services Elevate Threat triaging
0
Secure App to App and Network Anomaly
E 2 Communication Detection with

O R NTA/NDR

PL
Secure Intra-App

EX Communications

a r e
w
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 20
Grouping and Tagging
Overview n.
ti o
ib u
Groups Tags
i s tr
r red
n o
IP/MAC
a t io
Addresses/Subnets
blic
IP/MAC
pu
for
t
Segment
t:
Segment Port (Tag )
No
n
Static Members

Criteria-Based
te
Segment ( Tag)

n
Segment Port
VNIC
C o
Virtual Machine (Tag )

Virtual Machine
2 4 Virtual Machine (Name)

Group
2 0 OS Name

E
OR
VM Hostname

P L
User X
E
are
Identity (IDFW)

Mw
AD Groups

V
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 21
VCF VI Workload Domain – Environment Zoning
Step1: Secure Infrastructure and Zones n.
ti o
ib u
i s tr
r red
o
nWLDs
• Pooled VCF infrastructure across VI

a t io
blic • Single NSX Manager across VI WLDs

pu
fo r • Step1a: Segment the workloads based

t NTP AD on environments

No
Dev

nt:
n te
C o
2 4
2 0 Prod Log Services
E
L OR
X P
E
NSX Fabric

r e
wa
VI WLD 1 VI WLD 2 VI WLD 3

VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 22
VCF VI Workload Domain – Environment Zoning
Step1: Secure Infrastructure and Zones n.
ti o
ib u
i s tr
r red
o
ninfrastructure and environment
• Step1b: Create macro-level

a t io
lic
policies

u b
r p • Examples:

t fo
NTP AD Block Dev to Prod communication

No
Dev

nt: All workloads talk to shared services

n te Allow access to infra services

C o
24
AD-> AD Allow

2 0 Prod Log Services RFC1918 -> AD Allow

RE
L O RFC1918 -> NTP Allow

X P
E
NSX Fabric RFC1918 -> Log Allow

r e
wa
VI WLD 1 VI WLD 2 VI WLD 3
Block Insecure Protocols

VM Any -> Any SSHv1 Deny

Any -> Any SMB1 Deny


Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 23
VCF VI Workload Domain – Application Segmentation
Step2: Secure app to app communication n.
ti o
ib u
i s tr
r red
n o
• Ring Fence app to app
App 1 App 2
a t io communication

blic
u • Turn on Security intelligence to

fo rp determine app to app

t NTP AD communication and flow

No
Dev
insights

nt:
n te • Tag VMs with appropriate app

C o information

2 4
0
• Define app grouping and
App 3
E 2 Prod Log Services policies and app to app policies.

OR
PL
• vRealize Network insight can

EX NSX Fabric also be used for L4 flow

r e information.

wa
VI WLD 1 VI WLD 2 VI WLD 3

VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 24
VCF VI Workload Domain – Application Micro-Segmentation
Step3: Micro-segment critical apps that require zero-trust n.
ti o
ib u
i s tr
r red
n o
• Use Security Intelligence to gain
App 1 App 2
a t io intra-app flow communication

blic insights

pu
fo r • Use NSX intelligence rule

t NTP AD recommendations to generate

No
Dev
intra-app security posture.

nt:
n te • Use above process to

C o microsegment critical apps

2 4
App 3
2 0 Prod Log Services
E
L OR
X P
E
NSX Fabric

r e
wa
VI WLD 1 VI WLD 2 VI WLD 3

VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 25
VCF VI Workload Domain – Zone Separation with GW Firewall
Tenant segmentation with GFW, E-W App segmentation using DFW n.
ti o
ib u
i s tr
r red
o
Single NSX Domain for consistent security and
n
io
networking across multiple VI WLDs

a t
lic
Dedicated VI WLD vSphere Cluster for NSX

u b Edges provides best performance, availability,


EDGE CLUSTER

r p and throughput

t fo NSX grouping and tagging strategy can be used

No
Tier-0 Tier-0
to segment tenants and their apps

t:

TENANT A
Gateway Gateway

te n vDefend GFW to enforce security between


Tenants - dedicated Tier 1 (or multiple) per tenant
n

TENANT B
C o vDefend DFW to provide tenants’s Apps micro-

2 4 segmentation and zero-trust

2 0
E
Tier-1
Design Considerations:

OR
Gateway

Tier-1

L
Gateway • Edge performance, HA and capacity
EDGE CLUSTER

X P planning is a consideration.

e E
r
• Next Generation Gateway Features (GW

w a NSX Fabric
IDS/IPS, TLS encryption/decryption,
Malware) can be enforced b/w Tenants

VM VI WLD 1 VI WLD 2 VI WLD 3 • Single Overlay TZ across VI WLDs* = NSX


Overlay segments will be available in all VI
WLDs
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 26
VCF VI Workload Domain – Zone Separation with GW Firewall
Dedicated NSX instance/Edge Cluster per VI WLD n.
ti o
ib u
i s tr
r red
n o
Single VCF Instance with multiple independent VI

a t io WLD/NSX Domains

blic Tenant’ dedicated VI WLD for complete isolation

pu
r
EDGE CLUSTER EDGE CLUSTER EDGE CLUSTER Dedicated VI WLD vSphere Cluster for NSX Edges

fo
provides best performance, availability, and

t
No
throughput

nt:
Independent NSX Groups per NSX Instance (VI WLD)

te
to segment the workload into unique Security Zones

n
and Application Groups

4 Co vDefend DFW to provide tenants’ Apps macro and


TENANT A

TENANT B

TENANT C
0 2 micro-segmentation and zero-trust

E 2 Tenant WLD Ingress/Egress securely managed

OR
through the vDefend Gateway Firewall (Tier-0/Tier-0s)

P L Next Generation Gateway Features (GW IDS/IPS, TLS

EX encryption/decryption, Malware) can be provided for

a r e each Tenant

w
NSX Fabric NSX Fabric NSX Fabric NSX Federation can be enabled for centralized security

VM VI WLD 1
management across VI WLD
VI WLD 2 VI WLD 2

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 27
Security Rule Model
Pre-defined categories n.
ti o
ib u
i s tr
r red
n o
Pre-defined categories aligned
Ethernet Category Used For L2 Policy
a t io with common policy model
Used for Quarantine and/or Allow b
lic Each category Can have multiple
pu
Emergency Category Rules
f o r Policy/rules
Global Policy- AD,o
t
Infrastructure Category
t : N DNS, NTP, DHCP, Define Policy in specific category
e n
Backup, Mgmt Servers
for easier policy management
ont
Environment Category
4 C Policy between ZONES- Prod vs Dev, Rules enforcement Top → Down
0 2 PCI vs NON-PCI, Inter BU rules
and Left → Right
E 2
Application Category R
Policy between apps, app-tiers or

P LO rules between micro-services

E XPolicy
a reDefault
Allow-List/Zero-trustPolicy
Allow-List/Zero-trust
w
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 28
Design Consideration – Why “Applied-to” Matters
Applied-to/Scope of enforcement n.
ti o
ib u
i s tr
Overviewred
rTo” – Defines the scope of
”Applied-to” Defines Scope of
Enforcement Per rule
n o
“Applied

a t i o
enforcement per Rule

bli c
pu Default is “DFW” – Rule applied to

for all workloads

t
No
User can change it to one or more

nt: specific Group of workload

n te
C o Benefit
2 4
2 0 Optimizes the resource utilization on
E
OR
the ESX/KVM hosts

P L Helps in defining targeted policy at


EX specific Zones/Tenants without

a r e stepping on policy defined on other


w tenants/zones
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 30
vDefend Firewall for NSX VPC
Self-service Security Services for VCF n.
ti o
ib u
VPC is a logically isolated virtual network
i s tr
r red
It resembles a traditional network with the benefits of VCF, such as the elastic
n o
scale of the network and security services, as well as availability and isolation.
io
VPC

a t
Provides strict and implicit separation between the infrastructure layer
b l ic
(provider-managed) and the consumption layer (DevOps persona) with u
r p self-
service Network and Security capabilities
t f o NAT

N o
t :
n Services
n t e
vDefend Firewall empowers VPC with automated
o Security Public Subnet

• By default, a default group for each4VPC C is created, and all the VMs
connected to the VPC subnets0 2 part of the group.
2 are
E any inbound traffic to VPC resources.
• A default security policyRblocks
LO is allowed. Full communication between VMs in
Private Subnet

P
Outbound connectivity
X
E
the VPC is allowed.
a re VPC group is used in the apply-to field of the VPC-specific
M w
• The default
Isolated Subnet
V security policies (only visible in the manager UI)

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 31
Securing VI Workload Domains
vDefend Deployment Considerations – Firewall + IDS/IPS n.
ti o
ib u
i s tr
EXTERNAL
r red
n o
After the initial day0 NSX deployment

a t io
and configuration the VCF platform is

blic ready to adapt and consume


u
Tier-0 Gateway
A/A Mode

r p • Micro-Segmentation using

t fo Distributed Firewall (DFW)

No
nt:
Tier-1 Gateway • Distributed IDPS

te
A/S Mode

n
If edge nodes are configured, GW

4 Co firewall features can also be enabled

0 2 • Layer 4-7 GW Firewall

E 2
OR
Micro-
Segmentation • URL Filtering

P L • Gateway IDPS

EX
a r e IDS/IPS • TLS Inspection

w
VM
VI WLD

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Design Note: No NAPP dependency to enable these features 32
n.
ti o
ib u
i s tr
r red
n o
a t io
NSX Application Platform blic
pu
and ATP Design for
t
t: No
te n
on
4 C
0 2
E 2
LOR
X P
e E
a r
w
VM
33
IDS/IPS does not need NAPP
Securing Virtual Infrastructure Workload Domains
Deployment Considerations: Single Availability Zone and Single VCF Instance n.
ti o
ib u
EXTERNAL
i s tr
r red
n o
NSX Application Platform (NAPP) is an

a t io
extension of NSX that is used to enable the

lic
NDR
following advanced NSX security features:
Mgmt WLD Tier-0
u b
Gateway

r p • Security Intelligence and NSX Metrics

t fo • Distributed Malware Detection and

No
Prevention

t:
URL
IDPS

n
Filtering

te
• Gateway Malware Detection
Malware

on Detection
• Network Traffic Analysis (NTA)
TLS FQDN

4
Tier-1
C
2
Inspection Visibility Gateway
• NSX Network Detection and Response

2 0 (NDR)

E
OR
NAPP is deployed after VCF has
L
Micro-
Malware

P
Segmentation provisioned the core VMware/NSX software
X
Prevention

E
components

ar e NTA NAPP Automation Appliance (NAPPA) is


w
IDS/IPS
the recommended way of installing NAPP

V M VI WLD
NAPP LCM is not controlled via SDDC
*Follow the NAPP Design Guidance for VMware Cloud Foundation Environments
manager
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 34
NAPP Design for VCF
NAPP instances are hosted in Mgmt WLD n.
ti o
ib u
tr
Automation
Appliance NSX wld1
i s
red
NSX wld2

o r
io n
a t
lic
Management WLD NAPPAA (NAPP automation appliances) installs

b
NAPP as well as configures Tanzu/K8s cluster

pu for NAPP
Management

for
t
net NAPP instances are installed in Mgmt Domain

No
for each NSX domain

t:
HA

n
One instance of NAPP per NSX domain (1:1

te
Proxy
FrontEnd mapping)
net
on
4 C Supervisor
5 instances of NAPP can be managed by

0 2 Cluster NAPPAA ( NSX 4.2.NAPP 4.2 )

Workload
E 2 Each NAPP instance can be scaled out to 15

OR
net worker nodes

P L
X
Sizing tool available to size the NAPP instance

e E appropriately ( New in NSX 4.2)

a r
w
VM
https://knowledge.broadcom.com/external/arti
cle/373793/security-intelligence-sizing-tool.html
Guest Cluster Guest Cluster
wld1 wld2
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. VCF Mgmt WLD 35
Reference Slide

NAPP 4.2 Sizing Guidance


Number of worker nodes (Advanced Form Factor) n.
ti o
ib u
i s tr
red
Minimum number of
Intelligence NTA MPS NDR
worker nodes (*)
o r
4
ion
Minimum number of worker
a tnodes for platform deployment
X 4
blic
u
rp
• 4
X X 5
t f o If 2+ services are activated
X X X X
t: N5o • 5

te n
on Actual number of worker nodes
4 C depends on traffic pattern (flow
0 2
E 2 rate, internal flow vs external

OR
flow, flow uniqueness…)

P L • NAPP Cluster sizing tool


EX
ar e • Note: Intelligence service scale-

Mw
out has been tested up to 10
V
* One Advanced Form Factor node is still 64GB RAM / 16 vCPUs
** 5 worker nodes minimum requirement is not enforced at NAPPAA deployment step or NAPP service activation
worker nodes

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 36
Step 4: Enable ATP for VI WLD
Elevate Ransomware Defense n.
ti o
ib u
tr
Cloud Services

i s
red
• Threat Intelligence

r
IDS/IPS Signature Updates
INTERNET •
o
Malicious IP Reputations Feed

n
io
• Sandboxing

a t
lic
PERIMETER FIREWALL Threat Intelligence Malware Feeds

u b
r p
fo
Cloud IDS/IPS

t
Connector Signature

No
Malware
Events Updates

nt: NDR On-Prem


Malware Prevention (Unknown) File Uploads
n te (vDefend 4.2)

C o NDR

24
MPS MPS
IDPS Network

0
SVM SVM VI WLD Security Engineer

2
Events Anomaly
NSX Manager Security Analyst

E
DFW Events

R
IDS/IPS

L
ESXi Host
O ESXi Host ENGINEERING NAPP

X P Network Telemetry

e E
r
SIEM

w a
VM VI WLD MANAGEMENT WLD

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 37
n.
ti o
ib u
i s tr
r red
n o
a t io
Securing VCF Management blic
pu
WLD r
t fo o
t: N
te n
on
4 C
0 2
E 2
LOR
X P
e E
a r
w
VM
VCF Management WLD Security
Default State n.
ti o
NSX

ib
NSX
u
tr
Edge Edge

i s
r red
All traffic within the n o
Management WLD is
a t io
permitted SDDC
blic
u
vCenter vCenter vCenter

p
Manager

Any external host can


fo r
t
No
VI WLD 1
connect to NSX NSX

t:
NSX NSX NSX
Edge
Manager, vCenter,
te n
VCF Management
SDDC Manager, Aria
Suite, etc.
C on Plane must be secured
24
NSX NSX

0
Edge Edge
Management
E 2
workloads are put on
O R Network
the Management NSX
P L
Exclusion List and
EX
e
Management WLD
r
connected to vSphere
a
dvpg w
VM
VI WLD 2
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 39
Management WLD Security
Functional Segmentation: Example System Communication n.
ti o
ib u
i s tr
red
VMware Cloud Foundation
o r
ion
a t
Automation & SDDC Manager
blic Enterprise Services
Orchestration
pu (DNS, LDAP, NTP...)

fo r
t
No
vCenter(s)

nt:
te
Secure Network(s)
& Bastion Host(s)
on NSX
Misc. Service

4 C
0 2
E 2
OR
Aria LCM

P L
EX
a r e
w
VM
Enterprise Data Bus
ESXi Hosts
Services

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 40
Management WLD Security - VCF 5.2 / NSX 4.2
Out-of-the-box support for DFW for the VCF Management VMs n.
ti o
ib u
VMware Cloud Foundation
i s tr
r e d
r
Discovery and Distributed Security for
Management Domain
n
the VCFoManagement VMs with VMware

t i o
vDefend
ca
vCenter SDDC NSX
Server Manager Manager
bli Can be activated or deactivated at any
pu
r
time
VM Management VLAN

t fo
No
(Host) Management VLAN No disruption to existing workloads
vMotion VLAN
nt: Configure and verify DFW policy not to
vSAN VLAN
n te block VCF Management traffic

C o VDS

24
NSX Overlay Remove VMs from the NSX Exclusion

20
Transport VLAN Host TEP Network List to enforce DFW, except Mgmt WLD

RE NSX Managers

L O
X P NSX on DVPGs on VCF 5.2

E
Host TEPs

e
TEP TEP TEP TEP TEP TEP TEP TEP

r
• Greenfield or Upgrades - disabled by

w a default

VM
NSX Prepared Hosts
ESXi 1 ESXi 2 ESXi 3 ESXi 4 • VCF 5.2 Brownfield Migration – enabled
by default

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 41
Management WLD Security
Segmentation Planning n.
ti o
ib u
Start with a macro-segmentation policy i s tr
• Allow Bastion hosts to VCF instance
r red
• Allow SDDC Manager to vCenters, NSX Managers, Edge Nodes, Hosts, and IP Storage
n o
• Allow vCenters to vCenters Linked Mode (if used)
a t io
• Allow NSX Managers to NSX Managers within a WLD
blic
pu
Start Safely
for
t
No
• Default Allow with logging enabled – Use log-tags
• Change the default rule to Drop when confident with the policy
nt:
Grouping Criteria
n te
• Management WLD VMs - VM Names,C o
4 NSX Tags, DVPGs, NSX Segments
02 Node - IP Sets
• Hosts, IP-based Storage, NSX Edge
2
Deepen the security policyR E
P LO
E X
• Increase granularity (micro-segmentation) based on logs or Security Intelligence.
e
• Use L7 App-ID
a r
w
Use https://ports.esp.vmware.com as a reference
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 42
Management WLD Security
Macro Segmentation Planning n.
ti o
VCF Instance

ib u
Mgmt WLD Zone

i s tr
red
SDDC Zone
Hosts / Edge Bastion Zone
SDDC

or
vSAN Nodes Jump
Manager
n
vCenter Zone Hosts
Mgmt Mgmt
a t io
c
Aria Suite
vCenter NSX
bli InfraSvc Zone

Avi
pu
r
WLD#1/2 Zone
DNS
Controller
f o
SSO

VI WLD#1
vCenter

Edge No
t Hosts Storage (Standard)

t:
Shared DHCP
VCD
n
NSX NSX

te
Nodes

on VI WLD#2 AD

C
vCenter Hosts Storage (Standard)

24
Log

2 0 Servers

E
WLD#3 Zone

O R
vCenter NSX
Edge
Hosts Storage
VI WLD#3 Backup

PL
Nodes (Standard) Servers

EX
a r e
VCF 5.2 –
WLD#4 Zone Tools Zone

w
Edge VI WLD#4
Shared NSX for Automation
vCenter NSX Hosts Storage

VM
(Isolated)
Isolated WLDs Nodes Tools
Management WLD

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 43
Reference Slide
Management WLD Security
Security Policy n.
ti o
Infrastructure Category
ib u
i s tr
red
Name Source Destination Service Context Profile Applied To Action / Log

VCF Infrastructure Policy Applied: MGMT_WLD; VI_WLD(…)


o r
Allow Bastion Zone to VCF BASTION MGMT_WLD Any None

io
DFW
n Allow
VI_WLD(…)

a t
Allow VCF to InfraSvc MGMT_WLD INFRA_SVC DNS-TCP None

blic DFW Allow

u
VI_WLD(…) DNS-UDP

p
NTP

fo
Syslog (TCP/UDP)
SSH r
t
No
ICMP

t:
Allow LDAP MGMT_WLD MGMT_WLD LDAP None DFW Allow

n
VI_WLD(…) VI_WLD(…)

te
INFRA_SVC INFRA_SVC

Allow AD MGMT_WLD MGMT_WLD

on ACTIVDIR DFW Allow

C
VI_WLD(…) VI_WLD(…)

4
INFRA_SVC INFRA_SVC

Allow 3rd Automation and Management TOOLS

0 2 MGMT_WLD HTTPS None DFW Allow


Tools

E 2 VI_WLD(…) SSH
ICMP

L OR
X P
e E
a r
w
VM *Note: IP Based Groups must be used for Hosts, NSX Edges, and IP Storage.
The DFW will not apply on these Groups.
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 44
Reference Slide
Management WLD Security
Security Policy n.
ti o
Environment Category
ib u
i s tr
red
Name Source Destination Service Context Profile Applied To Action / Log

VCF Environment Policy Applied: MGMT_WLD; VI_WLD(…)


o r
Allow VCF Management SDDC MGMT_WLD ICMP None

io
DFW
n Allow
VI_WLD(…) HTTPS

a t
lic
SSH

b
TCP-5480

Allow vCenter ELM MGMT_VC MGMT_VC HTTPS

pu
None DFW Allow

r
VI_WLD(…)_VC VI_WLD(…)_VC LDAP

fo
SDDC_MGR SDDC_MGR LDAP-over-SSL

t
TCP- 2012,2020

No
Allow Mgmt WLD to itself MGMT_WLD MGMT_WLD Any None DFW Allow

nt:
te
Allow WLD to Itself (rule per WLD) VI_WLD(…) VI_WLD(…) Any None DFW Allow
VI_WLD(…)_NFS VI_WLD(…)_NFS

on
Block traffic between WLDs (if needed) MGMT_WLD

4
MGMT_WLD
C Any None DFW Drop

2
VI_WLD(…) VI_WLD(…)

2 0
E
Allow VCF Outbound MGMT_WLD Any HTTPS TLS 1.2 DFW Allow

OR
VI_WLD(…) TLS 1.3

P L
X
VCF Default Deny Any Any Any Any None DFW Drop

e E
a r
w
VM *Note: IP Based Groups must be used for Hosts, NSX Edges, and IP Storage.
The DFW will not apply on these Groups.
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 45
n.
ti o
ib u
i s tr
r red
n o
a t io
NSX Federation in VCF blic
pu
Security Considerations for
t
t: No
te n
on
4 C
0 2
E 2
LOR
X P
e E
a r
w
VM
46
NSX Federation in VCF - Security Design Considerations
Simplify the Security consumption across VCF VI WLD with dedicated NSX domains n.
ti o
ib u
i s tr
NSX Global Manager(s)
r e d of the security
r VCF WLDs
Central configuration
sync sync
o
n to enable an operational model
services across
o
NSX Manager WLD 1 NSX Manager WLD 2 NSX Manager WLD 3
t i
Global Services Apps

bli ca Helps
similar VI WLD with shared NSX
pu
r
instance

t fo
No
Applications can be deployed anywhere,

t:
even span multiple NSX instances
Region Services Apps

te n
on Tag-based groups for virtual workloads

4 C across all the VI WLD

0 2
2
IP Groups for anything external (i.e.,
E
Local Services Apps Local Services Apps
physical servers)

L OR
X P Flexible NSX Federation Grouping with

e E Global, Region or Local span

a r
w Firewall rules can mix groups span

VMVI WLD 1 VI WLD 2 VI WLD 3

Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.


All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
*Note: NSX Global Manager can use dynamic membership in Groups based on 47
vCenter DVPGs Tags; those vCenter DVPGs Tags being added by Local Manager.
New in VCF 5.2
NSX Federation in VCF - Security Design Considerations
Brownfield Expansion into Multi-Instance VCF n.
ti o
ib u
i s tr
r e d
o r
Existing VCF Instance + Existing or
NSX Global
io n
New Non-VCF Instance
Manager
c a t
bli Federation between VCF and non-

pu VCF NSX deployments is


NSX Manager NSX Manager
for supported. This includes new or
t
No
existing non-VCF NSX
t: environments
SDDC Manager

te n
vCenter
on vCenter Provides centralized Security
4 C configuration across VCF and Non-
0 2 VCF instances
E 2
L OR
X P
E
e VCF instance
a r Non-VCF instance
w
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 48
Key Takeaways
vDefend enables multi-layered defense for VCF infrastructure n.
ti o
ib u
i s tr
r red
n o
a t io
IDS/IPS
b l ic
Distributed
p u
Security Ransomware
Firewall Malware r
foIntelligence Defense
Controls ot
t: N
te n
on
4 C
Segment 0 2
Provides Provides deep Elevate SOC
2
E additional lateral
zone/apps in R flow analytics & controls and threat
mgmt & VIPLO security defense firewall rule visibility with NTA
E X
a e
workload
r
domains recommendations and NDR
w
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 49
n.
ti o
ib u
i s tr
r red
n o
a t io
blic
pu
for
Please take No
t
nt:
te
your survey. 4 Con
0 2
E 2
O R
P L
EX
a r e
w
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 50
n.
ti o
ib u
i s tr
r red
Stay Connected n o
a t io
blic
Let’s continue the conversation pu
for
t
t: No
te n
Follow us @VMwareNSX
on
4 C
0 2
E 2
Visit us at Hands-on O R Labs
P L
VMware vDefendEX
Firewall Getting Started [SPL2471LV]
a r e
VMwarewvDefend Firewall w/ Advanced Threat Protection [SPL2423LV]
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 51
n.
ti o
ib u
i s tr
r red
n o
a t io
blic
pu
for
Thank you nt: No
t
nte
C o
2 4
2 0
E
L OR
X P
e E
a r
w
VM
Broadcom Proprietary and Confidential. Copyright © 2024 Broadcom.
All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. 52

You might also like