Aug 16

Understanding VMware AppDefense: A Tom Corn Perspective

How VMware AppDefense Enhances Security Across Clouds

Building on VMware’s foundational approach to cloud infrastructure and security, VMware AppDefense is a new solution that leverages the unique properties of virtualization to protect applications running on top of it. This new solution creates a least-privilege compute environment by capturing intended state of applications, and monitoring running machines against their intended state. AppDefense can detect and automate response to attacks that attempt to manipulate those applications, addressing a key challenges security organizations face from a constantly evolving and complex threat landscape.

Leveraging the Network Infrastructure

VMware AppDefense takes advantage of the application visibility the virtualization layer provides to enable what Tom Corn, VMware’s senior vice president for security products calls “an intent-based security model.” That model focuses on what the applications should do—the known good—rather than what the attackers do—the known bad. “We believe it will do for compute, what VMware NSX and micro-segmentation did for the network; shrink the attack surface and create a more actionable security model.”

The automation made possible by the virtualized, software-defined infrastructure allows AppDefense to automate every phase of this process, including threat detection and response.

Detect and Respond

The capabilities of VMware AppDefense open up new ways to shrink the attack surface and create a new security model that Corn says is “much more aligned to applications.” Now security organizations have the tools they need to leverage the power of the software-defined infrastructure to detect threats, and create “a much more actionable, orchestrated, and automated response” to attacks.

“With AppDefense,” Corn says, organizations have a simple but powerful mechanism to ‘ensure good’ rather than just ‘chase bad.’ This changes the current approach to security that Corns describes as “constantly chasing the evolving threat landscape.”

Watch Tom Corn’s light board presentation to see how VMware AppDefense improves security for applications running on virtualized and cloud environments.

VMware AppDefense is a new security solution that allows organizations to create least privilege environments around their applications running in virtualized or cloud systems, a key feature according to VMware’s senior vice president for security products, Tom Corn. Watch VMware’s Tom Corn illustrate how VMware AppDefense significantly enhances application security when working across clouds in this light board presentation.
NOTE: This video is roughly 13 minutes in length so it would be worth blocking out some time to watch it!

Rating: 5/5


Jul 12

VMware NSX and the Data Center Network Evolution

Watch this short video from Gustavo Santana (author, VCIX-NV, triple-CCIE, and NSX SE Manager for Latin America) to understand how VMware NSX can positively influence on the architecture of physical data center networks. Here are some of the topics addressed by Santana:

* The evolution of data center networks from the 1990s to the 2010s
* Benefits and challenges of each evolution phase (STP-based, Multi-chassis, fabrics)
* An architectural perspective of VMware NSX
* A new proposed architecture for data center networks

The network virtualization revolution continues!

Rating: 5/5


May 16

Using NSX to make a Virtualized DMZ

Need a more specific use-case to get started with Micro-segmentation and the NSX Distributed Firewall? Your DMZ is an excellent place to start! Why let your blast-area be the entire DMZ network – limit the scope of damage to each individual server. OS-level firewalls are great – but are subject to being disabled once the server has been compromised. NSX, with it’s point of control at the vNIC level, completely gets around that limitation to help reduce your exposure.

Rating: 5/5


May 16

How NSX Uses VXLAN

NSX is referred to as an “overlay” technology but what is actually doing the work on the back end to transfer that data back and forth? VXLAN is the unsung hero protocol moving data in and out of the virtual to the physical side of the house. Join Jimmy Ray Purser as he goes thru the basics of this standards based protocol and what you need to config on your physical network to enable it as well as how it interacts with other network devices.

Rating: 5/5


May 13

Using VLANs to Isolate Traffic

Using VLANs in vSphere helps you adapt the environment to network changes. VLAN modes overcome the limitations of the networking equipment and of host physical connectivity.

Rating: 5/5


Apr 29

VXLAN Virtual Wires, Part Two, Creating Virtual Wires

R&D Manager Sachin Thakkar shows you how to prepare your physical network for VXLAN virtual wires and then takes you through the procedure of creating a VXLAN virtual wire.

Rating: 5/5


Apr 28

VXLAN Virtual Wires, Part one, Overview

Using VLANs in vSphere helps you adapt the environment to network changes. VLAN modes overcome the limitations of the networking equipment and of host physical connectivity.

Rating: 5/5


Mar 13

NSX Firewall Demo

This security demo showcases what can be accomplished with NSX.

Rating: 5/5


Mar 01

VMware NSX – Components of NSX

In this video you will learn about component of VMware NSX.

Rating: 5/5


Feb 05

Introducing VMware NSX for vSphere 6.3 & VMware NSX-T 1.1

This past week at VMware has been quite exciting! Pat Gelsinger, VMware CEO, reported on the Q4 2016 earnings call that VMware NSX has more than 2,400 customers exiting 2016. Today, we continue that momentum by announcing new releases of our two different VMware NSX platforms – VMware NSX™ for vSphere® 6.3 and VMware NSX-T 1.1.

These releases continue to accelerate digital transformation for organizations through the most critical IT use cases – Security, Automation, and Application Continuity – while expanding support for new application frameworks and architectures.
use-case-projects-900x273.png
As more and more customers adopt NSX for vSphere, we continue to add features to make it easier for you to deploy, operate and scale-out your environment. NSX empowers customers on their cloud journey. It is driving value inside the data center today and expanding across datacenters and to the cloud via our Cloud Air Network partnerships, and soon to VMware Cloud on AWS and native public cloud workloads via VMware Cross-Cloud Services.

Let’s take a look at some of the new features in NSX for vSphere 6.3:

Security

Some of the new capabilities delivered in NSX for vSphere 6.3 are the Application Rule Manager (available in NSX Advanced and Enterprise editions) and Endpoint Monitoring (available in NSX Enterprise Edition).

Application Rule Manager simplifies the way you create security groups and firewall rules for applications based on their real-time network traffic flows. Endpoint Monitoring enables you to profile applications inside the guest including visibility into specific application processes and their associated network connections. Used together, you have end-to-end visibility of your applications and simplified firewall rule creation to help operationalize micro-segmentation even faster and more effectively than ever before.
application-rule-manager.png
Keep an eye out on the Security section of the NSX blog over the next few weeks for technical deep-dives into exactly how these Application Rule Manager and Endpoint Monitoring features work.

Our product certifications team was busy in 2016 and intends to deliver additional certifications throughout 2017. They have been working hard on guiding our development efforts and ensuring a number of key security and compliance enhancements made their way into the NSX for vSphere 6.3 release. In 2016, Coalfire, an independent cyber risk management advisor and assessor, certified that VMware NSX for vSphere meets regulatory compliance requirements such as PCI DSS. NSX was also the first software-defined networking solution to have the Defense Information Systems Agency (DISA) Risk Management Executive publish a Security Technical Implementation Guide (STIG), signifying that the solution meets the security hardening guidance required for installment on Department of Defense (DoD) networks. Watch the blog Security section in the coming months for updates on certifications related to ICSA Labs, FIPS 140-2 and Common Criteria EAL-2 certification.

Automation

When I meet with customers, they continue to tell me that NSX has the most transformative impact on their organizations, once they begin automating their manual networking and security processes. It’s not easy and requires organizational, people, and processes changes. But the value NSX brings to the organization is huge. To help support this, we continue to make enhancements to the automation capabilities in NSX for vSphere 6.3. We have enhanced the integration of NSX Load Balancers within vRealize Automation and added support for third-party IP Address Management (IPAM) systems for on-demand routed networks. We have also enhanced the integration with NSX for vSphere and vCloud Director, enabling new multi-tenant capabilities for our vCloud Air Network partners, and adding support for emerging NFV use case.
load-balance-in-vRA.png
Figure. Screenshot of Load Balancing integration into vRealize Automation blueprints.

Multi-tenancy is often thought about as something only service providers care about, but we’re seeing increased demand from non-service providers looking to operate in more of a service provider model in the way they deliver services to their organization. The University of New Mexico is a great example of this, where they are collapsing their disaggregated IT from dozens of departments back to a centralized IT model, reducing provisioning time for new workloads and services from 3 weeks down to 20 minutes!

Application Continuity

As NSX continues to mature and adoption becomes mainstream, we are seeing customers deploy NSX for a range of different use cases. AeroData Inc., for example, is leveraging the network overlay capabilities in NSX to create a highly-available, Active-Active data center architecture. In NSX for vSphere 6.3, we have further enhanced the security tagging capabilities in multi-vCenter deployments, simplifying security policy management at scale across multiple data centers. (Read more about multi-site with cross-vCenter NSX.)
Picture4-App-Cont.png
Emerging use-cases: Containers and Remote Office Branch Office (ROBO)

With NSX for vSphere 6.3, we are helping to further improve the developer experience with containers via integration with the recently announced vSphere Integrated Container (VIC). As VIC is built on vSphere 6.5, you can leverage NSX for vSphere 6.3 to connect and secure VIC infrastructure, enabling you to deliver a secure container environment on demand for developers.

Another addition as part of NSX for vSphere 6.3 release is a new NSX for ROBO edition SKU. Using this capability, NSX provides a comprehensive solution to network and security policy for environments across remote and branch offices, which reduces the operational costs of branch connectivity and maintenance. In upcoming blog postings, we will share more details about the NSX for ROBO features, use case, and customer success stories as we have been seeing keen interest from our customers in this space.

Expanded support for new platforms with NSX-T: KVM, OpenStack

Let’s now look at VMware’s other NSX platform – NSX-T 1.1 – and some of the new capabilities being delivered in this latest release.

VMware NSX-T is focused on emerging application frameworks and architectures that have heterogeneous endpoints and technology stacks. In addition to vSphere hypervisors, these environments may also include other hypervisors, containers, bare metal, and public clouds. NSX-T allows IT and development teams to choose the technologies best suited for their particular applications. NSX-T is also designed for management, operations, and consumption by development organizations – in addition to IT.

NSX-T 1.1 offers expanded support for multiple KVM distributions, including Canonical Ubuntu and Red Hat Enterprise Linux. NSX-T starts at the source of the application, within the hypervisor kernel, delivering optimal security granularity and line-rate performance. NSX-T delivers distributed firewalling, logical switching, and distributed routing.

NSX-T 1.1 also delivers support for private IaaS clouds based on OpenStack. With this release, NSX-T supports the latest versions of OpenStack, i.e., Newton and Mitaka. In addition to using the OpenStack APIs, development teams can also use Puppet, Chef, and Terraform to describe and automate the networking and security for their application workloads within an OpenStack environment.
Support for new app frameworks: Photon and Container Networking Interface (CNI)

NSX-T is integrated with the VMware Photon Platform. This capability allows IT to offer virtual networking and security as services to developers building and running containerized, cloud-native applications. NSX will auto-create and scale networks and routers when a new namespace/project/organization is created, and define and enforce micro-segmentation security policies for containers and pods. (Read more about Photon Platform and NSX-T.)

Currently in beta, the NSX-T Container Networking Interface (CNI) plugin will allow developers to configure network connectivity for their application containers helping deliver developer ready infrastructure.

Pricing and Packaging

Though not a new NSX feature, we are also excited to announce changes to our VMware NSX pricing and packaging.

Starting today, customers who purchase VMware NSX have the option of downloading and installing either platform and can switch between the two if needed without having to re-purchase NSX. And should your needs change, you can switch between the two.

As mentioned earlier, with NSX for vSphere 6.3, we have introduced a new NSX for ROBO (Remote Office Branch Office) packaging option. For those of you familiar with the vSphere for ROBO and vSAN for ROBO offerings, NSX for ROBO is packaged in the same way.

NSX Everywhere

In last week’s Q4 VMware earnings call, Pat Gelsinger mentioned that NSX is an essential element to VMware Cloud Foundation, Cross-Cloud Services and VMware Cloud on AWS. With both NSX for vSphere and NSX-T, NSX intends to be everywhere in the containerized, multi-cloud future. NSX becomes the bridge that enables customers to unify networking and security across their private and public clouds.

What You Can Do Now

Matt De Vincentis

Rating: 5/5