NSX and Micro-segmentation

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Applause] good afternoon my name is John Whitman I'm a senior systems engineer with the network and security business unit at VMware today we're going to talk about in a sex and micro segmentation now from a high level what is micro seg micro segmentation is kind of a buzzword it's a hot word that people are talking about right now you might hear you know your networking folks talk about it in your company you might be hearing your vSphere folks talking about it you've definitely heard about it at VMworld it's not a new concept it's something that is revolutionizing the networking industry so what is micro segmentation okay let's draw out a typical environment so let's say I have a three-tier application and my application is connected to a router and these are my switches now with micro segmentation these can be virtual switches from nsx they can be a V Center or DVS doesn't matter okay but for the sake of conversation we have three switches out in the environment now my application sits on those switches I have VMs that run in these environments to support my application okay and let's call this app and this is going to be ten dot 100 dot twenty dot X and this guy is gonna be my database and this is going to be ten dot two hundred twenty dot X and this is gonna be my web and this is going to be ten dot 80.2 n dot X let's mix it up a little bit okay now traditionally you would have to take and run a separate firewall so if I had two VMs that I wanted to talk to each other they would have to go from one switch to the router to the firewall back through the router into the switch and now I can block traffic I can say that we're only going to allow 80 and 443 and so forth but we're gonna deny you know three three eight nine and ten ten okay so this is traditional right with NSX micro segmentation we're able to create rules that apply directly on each VM now that's great John I'm able to disperse out my firewall rules I'm able to create an environment where each VM has got a bunch of complex rules that's the 2d way of thinking of it remember this is a CL lists right I have an access control list it says this VM can't talk to this VM over this port and protocol right that's very that's very two-dimensional thinking right now expand your mind and think about three-dimensional firewalling where not only can we put a firewall on each VM we put that firewall in between we can now group VMs to say that this VM can talk eighty two this VM right but these two down here can't talk to each other at all I want to create a global policy that says my web tier is isolated okay and I want to create an application tier firewall rule that says each machine is now isolated from itself now to take that a step further and where I say that this gets into three dimensional is we can start putting wrapper policies not only around entire subnets or around entire switches but you can now nest these policies we can take a VM and I can put a security policy around it that says allow traffic deny traffic and you choose what port and protocol that traffic is now I can put another policy around that that says specific VM to VM traffic and I can put another policy around it that says switch to switch policy enforcement now this is what I mean by three-dimensional firewalling this is true micro segmentation because if you think about this this is per VM this is at the VM kernel level so actually right where the VM connects to your switch whether it's an nsx virtual switch whether it's a standard virtual switch or a vSphere distributes virtual switch the traffic is stopped right at the virtual machine itself so instead of creating an ACL policy of one to three deny allow deny allow deny allow this distributed firewall policy is one policy deny allow from two plus other so you now have enhanced policies that instead of having lines and lines and lines of ACL access lists you have inherent easy to read easy to decipher distributed firewall policies right so this now take this concept and apply it over here you're able to take and wrap policies around VMs and notice how I've taken here let's let's take this and scale this out a little bit I've taken two VMs I put a policy around one I put a policy around both and then I can have a global policy so this can be my global policy this can be my group policy and this can be my individual policy right so think of it three-dimensional think of it you can now secure east-west traffic from VM to VM with contiguous IP addresses you can secure and address an entire subnet you can secure an entire switch and remember you can you can apply this based off of IP Mac switch membership operating system and so on there is an entire list of grouping capabilities for how you can identify a virtual machine out on your network and apply these policies I hope to spark your interest I hope this made sense thank you very much and I hope you watch the next video have a great day [Music]

Info

Channel: VMware NSX

Views: 41,007

Rating: undefined out of 5

Keywords: cloud storage, virtual machine, virtualization, vmware, vmware nsx, data center, cloud hosting, cloud computing, nsx, sddc, sdn, micro-segmentation

Id: L_QtlSXaxkE

Channel Id: undefined

Length: 8min 21sec (501 seconds)

Published: Tue Jan 03 2017