[PPT] - Friday 24 th April Keynote Presentation by Guido Appenzeller, Chief PowerPoint Presentation

SLIDE 1

Friday 24th April

Keynote Presentation by Guido Appenzeller, Chief Technology Strategy Officer for Networking and Security

‘The Next Horizon for Cloud Networking and Security’

SLIDE 2

The Next Horizon for Cloud Networking and Security

Guido Appenzeller

Chief Technology & Strategy Officer Networking & Security VMware

SLIDE 3

Networking is a Software Industry

SLIDE 4

Evolution of Compute vs Evolution of Networking

4 CPU System Software

Operating System

Chip System Software CPU System Chip System Software

OS OS OS Compute Virtualization

Software CPU System Software

Mainframe / Workstation

Chip System Software

Compute Networking

CPU System

Software

Chip System Software

Cloud OS OS OS Compute Virtualization

Software

Orchestration & Management Client Server

SLIDE 5

Revolution in Networking

CONFIDENTIAL

5

Stanford Photo with quote around innovation, fossilization

SLIDE 6

Revolution in Networking

6

SLIDE 7

Evolution of Software Defined Networking

7

2008 2015 Research

OpenFlow
Mostly in Academia
Experimental

Products & Architecture

Overlay Networks
Centralized Control Planes
Service Providers & Enterprise

2016 2010 2012 2014 Network Virtualization has become mainstream.

Operational Readiness
Easy Deployment
Operational Tools

Architectural Battles

SLIDE 8

NSX 2014 Customer & Business Momentum

8

Production Deployments

(adding 25-50 per QTR)

70

NSX Customers

400+

% of Top Banks Adopting NSX

80

SLIDE 9

Software Defined Network is the big moment to create the unified way of operating and teaming

Network Security Operations Storage Servers Audit

SLIDE 10

Software Defined Network is the big moment to create the unified way of operating and teaming

Cloud Business

SLIDE 11

The golden era of network administration is now.

Network Automation Nirvana

DevOps Mentality + Rich APIs + Scripting

SLIDE 12

Virtual infrastructure 3rd Generation Apps and Cloud State of Network Virtualization and SDN

SLIDE 13

Two Tier Infrastructure Model

VM or server workloads and network are separate security domains Physical Servers Physical Network Infrastructure

Internet

SLIDE 14

Two Tier Infrastructure Model

VM or server workloads and network are separate security domains

Virtual Machines Physical Network Infrastructure

Internet

SLIDE 15

Two Tier Infrastructure Model

VM or server workloads and network are separate security domains

Virtual Machines

Virtual Infrastructure

Physical Network Infrastructure

Internet

SLIDE 16

Virtual Infrastructure

Virtualizing the Network and Security

Physical Network Infrastructure

Internet

Virtual Machines

Virtual Infrastructure

Switches (L2) Routers (L3) Load Balancer Firewall (Security)

SLIDE 17

Virtual Infrastructure

What else can we do with virtual infrastructure?

Physical Network Infrastructure

Internet

Virtual Machines

Virtual Infrastructure

App Delivery
VPN
IDS/IPS
DLP
End point security
Monitoring/Loggin

g

Key storage
PII/PCI data

storage

SLIDE 18

Why virtual infrastructure?

18

Security Automation Application Continuity

SLIDE 19

Perimeter-focused security

19

Unconstrained Communication

Little or no lateral controls inside perimeter

Sophisticated attackers bypass perimeter defenses. The initial system that is compromised, is often of lowvalue. Because of a lack of internal controls, attackers can move around the data center freely and over time infect systems with sensitive data. 10110100110 101001010000010 1001110010100 Attackers gather and exfiltrate data over weeks or even months.

Internet

Data Center Perimeter

SLIDE 20

Micro-Segmentation

20

Why can’t we have individual firewalls for every VM?

Data Center Perimeter

Internet

Cost prohibitive with complex configurations

Physical firewalls

Slower performance, costly and complicated

Virtual firewalls

With traditional technology, this is operationally infeasible.

SLIDE 21

Secure Micro-Segmentation in the Data Center

2 1

Internet

Security Policy

Perimeter Firewalls

Cloud Management Platform

SLIDE 22

Security: Protected Domain

22

Endpoint Virtualization Network Virtual Machine VM VM Protected Domain Hypervisor Application

Secure Data Secure Audit Provision Keys Verify Signature Trusted Module Trusted Module

The hypervisor can bridge the context / isolation gap

SLIDE 23

Web Tier App Servers Database

Load Balancer Firewall

Policy & Security

Allow PCI Data to be stored on this server Hypervisor based IDS Allow TCP Port 3306 Allow TCP Port 80 Network Encryption to DB Hypervisor based IDS Allow TCP Port 443 Deny All Provision: SSL Certificate Hypervisor based IDS

Microsegments as a Policy Primitive

Firewall

…

SLIDE 24

Why virtual infrastructure?

24

Automation Security Application Continuity

SLIDE 25

Physical Network Infrastructure Application Workloads Virtual Infrastructure

Internet

Automation

25

SLIDE 26

Platform Services Enable Robust Ecosystem

26

We expect the vast majority of this functionality to come from partners Physical Network Infrastructure Applications and End Hosts

Internet

Virtual Infrastructure

SLIDE 27

Self Service IT: Driving IT Agility

27 Provider

Automation by IT for IT

Cloud Consumer

Automation by IT for End user

Developer Cloud

Automation by IT for External Use

27

Community Cloud
Services Cloud
IAAS
Faster project on boarding
Elastic Services
Streamline Security Enforcement
Mergers & Acquisition

SLIDE 28

Why virtual infrastructure?

28

Application Continuity Automation Security

SLIDE 29

Hardware Refresh

Viertual infrastructure decouples applications from hardware

Virtual Machines

Virtual Infrastructure

Physical Network Infrastructure

Internet

Isolation

SLIDE 30

Backup Site

Physical Network Infrastructure Application Workloads Virtual Infrastructure 30

Original Site

Physical Network Infrastructure Application Workloads Virtual Infrastructure Internet Internet

Desaster Recovery

Network configuration becomes easily replicable once it is software defined

SLIDE 31

Virtual infrastructure 3rd Generation Apps and Cloud State of Network Virtualization and SDN

SLIDE 32

3rd Platform Apps

How are these apps different?

Built-in scale-out
Built-in redundancy
Often stateless with state

stored in a service

Build on higher level

abstractions

What does this mean for networking and security infrastructure?

32

File system
L2+L3 Networking
ADC Appliance
Storage Services
L3 Networking Only
Load Balancing Service

SLIDE 33

Host Hypervisor

Containers

Containers emerging as the application management layer of choice

Applications App Framework OS Applications App Framework OS Applications App Framework OS App Framework OS

Application Containers VM Applications

Application Containers Host

App App App App App App App App App Containers

SLIDE 34

Container Networking

Containers run inside of VMs

One VM per server per

security domain

Containers often behind NAT
No container level networking

Does this make sense? It actually does…

34

Enterprise Model Today

VM

Container Container Container Container

Hypervisor VM

Container Container Container Container

vSwitch

SLIDE 35

Container Networking

Two levels of vSwitch

First layer vSwitch inside the

container VM

Second layer vSwitch inside the

Hypervisor

Container level networking

35

In the future, container level visibility

VM

Container Container Container Container

Hypervisor VM

Container Container Container Container

vSwitch vSwitch vSwitch

SLIDE 36

Physical Network Infrastructure Internet

Server

Container Container Container Container

vSwitch Server

Container Container Container Container

vSwitch Server

Container Container Container Container

vSwitch

Containers – do we still need a Hypervisor?

Without Hypervisor:

Attacker compromises

container

Privilege escalation

to get root access on container host

Now has direct access

to the physical network

Can compromise
ther physical hosts

36

Without a hypervisor, attackers can spread

SLIDE 37

37 37

Hypervisor Hypervisor Hypervisor Guest

Container Container Container Container

Guest

Container Container Container Container

vSwitch vSwitch Guest

Container Container Container Container

vSwitch

Physical Network Infrastructure Internet

Containers – do we still need a Hypervisor?

Hypervisor provides a security control point

With Hypervisor:

Attacker can’t escalate

from container to vSwitch

Does not gain physical

network access

Ability to spread is

limited

SLIDE 38

Three Tier Model

38

Containers still need virtual infrastructure

Physical Network Infrastructure Applications and End Hosts Internet Virtual Infrastructure

Container Container Container Container Container Container Container Container Container Container Container Container

SLIDE 39

Power of cloud: workload mobility

SLIDE 40

Lock-in through services

Storage Service Load Balancin g Service Firewall Service Storage Service Load Balancin g Service Firewall Service Storage Service Load Balancin g Service Firewall Service

SLIDE 41

Cloud: Just new Silos?

Storage Service Load Balancin g Service Firewall Service Storage Service Load Balancin g Service Firewall Service Storage Service Load Balancin g Service Firewall Service

SLIDE 42

Virtual Infrastructure

BYOI – Bring your own infrastructure

Storage Service Load Balancin g Service Firewall Service Storage Service Load Balancin g Service Firewall Service Storage Service Load Balancin g Service Firewall Service

SLIDE 43

Clouds Datacenter #2

Internet

Physical Network Infrastructure

Internet

Datacenter #1

Physical Network Infrastructure

Virtual Infrastructure for the SDDC and Cloud

43

Virtual Infrastructure Layer

SLIDE 44

Thank you