Re-Introducing VMware AppDefense, Part I – Application Security in Virtualized and Cloud Environments
This blog will be part of a series where we start off with a basic re-introduction of VMware AppDefense and then progressively get into integrations, best practices, mitigating attacks and anomaly detection with vSphere Platinum, vRealize Log Insight, AppDefense and NSX Data Center. Before we get into the meat of things, let’s level-set on a few core principles of what VMware believes to be appropriate cyber hygiene. The full white paper can be viewed here.
- Follow a least privileged model
- The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function. For example, a user account created for pulling records from a database doesn’t need admin rights, while a programmer whose main function is updating lines of legacy code doesn’t need access to financial records. The principle of least privilege can also be referred to as the principle of minimal privilege (POMP) or the principle of least authority (POLA). Following the principle of least privilege is considered a best practice in information security.
- The least privilege model works by allowing only enough access to perform the required job. In an IT environment, adhering to Continue reading
IHS Markit Talks Pioneering Private Cloud, Containers, and VMware Cloud on AWS
Global information, analytics, and solutions company IHS Markit provides data-driven insight for its government and corporate customers. Using VMware vRealize Automation, the company has already rolled out a private cloud that helped developers cut a 6-month infrastructure provisioning process down to one week. They’ve also been using VMware NSX-T Data Center to secure their workloads at a granular level with micro-segmentation, and to fundamentally re-think network design.
At VMworld 2018 in Las Vegas, Andrew Hrycaj, Principal Network Engineer for IHS Markit, spoke about the company’s plans for software-defined networking and hybrid cloud. IHS Markit has deployed VMware NSX Data Center, including NSX-T Data Center and VMware NSX Data Center for vSphere, into five data centers. “The NSX Data Center advantage for us is the fact that it can interact with so many different environments; from containers, to the public cloud environment with AWS and Azure, to on-prem,” said Hrycaj. “We’ll be able to utilize micro-segmentation across all of them with a common security footprint. If NSX-T goes to all those different environments, we can apply the same security policy across all those different platforms. It makes operations’ life easier because the transparency is there.”
Innovating with Continue reading
NSX-T Integration with Openshift
I am sometimes being approached with questions about NSX-T integration details for Openshift. It seems people are well aware how NSX-T works and integrates with Pivotal Container Service (aka PKS), Pivotal Application Service (PAS formerly known as PCF), and even with vanilla Kubernetes but there is no much information how we integrate with Redhat’s Openshift. This post aims to throw some light on the integration with this platform. In the examples below I am using Openshift Origin (aka OKD) but for a supported solution you need to go with Openshift Enterprise Platform. The same NSX-T instance can be used for providing networking, security, and visibility to multiple Openshift clusters.
Example Topology
In this topology we have a T0 router that connects physical with virtual world. We also have T1 router acting as a default gateway for the Openshift VMs. Those VMs have two vNICs each. One vNIC is connected to Management Logical Switch for accessing the VMs. The second vNIC is connected to a disconnected Logical Switch and is used by nsx-node-agent to uplink the POD networking. The LoadBalancer used for configuring Openshift Routes plus all project’s T1 routers and Logical Switches are created automatically later when we Continue reading
Securing your SWIFT environment with VMware
The SWIFT Controls Framework was created to help customers figure out which controls are needed to better secure their SWIFT environment. The SWIFT security controls framework is broken down into objectives, principles, and controls. The three objectives are “Secure your environment, Know and Limit Access, and Detect and Respond”.
Customers interested in exploring VMware product alignment with the SWIFT framework should evaluate the end-to-end solution. This includes VMware products, as well as other technology that support a customer’s SWIFT platform. The following is a high-level alignment of some of the SWIFT framework controls and VMware products.
VMware Product Alignment with SWIFT Objectives
Restrict internet access & Protect Critical Systems from General IT Environment
As part of a SWIFT deployment, a secured and zoned off environment must be created. This zone contains the SWIFT infrastructure that is used for all SWIFT transaction. Two SWIFT Principles that we will discuss are
- Protect Critical Systems from General IT Environment
- Detect Anomalous Activity to Systems or Transaction Records
These controls are required to be enforced on the SWIFT infrastructure. SWIFT requires that all traffic from the general IT infrastructure to the SWIFT zone be as restricted as possible. They also Continue reading
Coppell ISD Integrates Security into Infrastructure via VMware AppDefense
What do you get when you provide 12,800 kids with technology and programming classes? You get 12,800 people who are getting ready for the modern workforce of today and tomorrow. You also get 12,800 potential vulnerabilities. With the growing quantity of phishing emails, ransomware and malware that Coppell Independent School District (CISD) already had to combat with a small staff, this Texas school system was looking for smarter solutions.
“All these students who have taken programming classes, they’re often looking to bypass administrative privileges, looking for ways around the internet filters, or looking for ways to play games on the school computers,” said Stephen McGilvray, CISD Executive Director of Technology. “So, in addition to all these external threats we have to worry about, we also have a bunch of homegrown, internal threats.”
The school district recently underwent a data center refresh, which included updates for VMware vSphere, VMware App Volumes and VMware Horizon, and launched the implementation of VMware NSX Data Center. During the refresh, their VMware sales rep told them about a relatively new security product called VMware AppDefense.
At its core, AppDefense shifts the advantage from attackers to defenders by determining and ensuring good application Continue reading
Advanced Solutions Customer Story Part 1: Why NSX-T?
Customer Overview
Advanced Solutions, a DXC Technology company, was formed in 2004 and employs about 500 staff to support the government of the Canadian province of British Columbia and other public sector customers with IT and business process solutions. For government agencies and services to continue operating efficiently and effectively, it is essential that the IT resources that they require are provided quickly and accurately.
Key Pain Points
All IT organizations are acutely familiar with the wide range of pain points and obstacles that can stand in the way of delivering resources to empower their businesses to move with speed and agility. One of the most common hindrances to IT, and therefore business agility is painfully slow provisioning processes, which can take weeks just to provision an application. The most common bottleneck within these processes is provisioning networking and security services. This is a key pain point for Advanced Solutions, but one that VMware is helping them solve with the VMware NSX Data Center network virtualization platform.
Dan Deane, Solutions Lead at Advanced Solutions says, “The key IT pain points that VMware solutions are helping us solve are around networking and provisioning.”
New Use Cases
Advanced Solutions was Continue reading
Go Beyond your CCIE or VCP6-NV
Free VCAP6-NV Certification Exam Prep
Have your CCIE or VCP6-NV? Keep advancing your career by signing up for our free online (on-demand) VMware Certified Advanced Professional – Networking Virtualization (VCAP6-NV) certification exam prep and earn your certification.
Changing your Mindset
Why should you even care about a VCAP6-NV certification? Well, just like how achieving your CCIE was about challenging yourself to be a leader in the industry, earning a VCAP6-NV is about the next evolution of leadership as the enterprise moves to a software-driven multi-cloud infrastructure.
The transition from hardware-centric CCIE to software-defined VCAP6-NV is about a change in mindset and tooling. You need to think beyond the boundaries of a physical device and learn to use new tools and technologies to expand the scope of your current expertise and experience.
As the IT industry goes through massive shifts every decade or so, being able to not only embrace but also lead a paradigm shift is a key indicator of your ability to maintain a position of success and progress.
VMware NSX
The VCAP6-NV certification is the industry standard that validates your knowledge of VMware NSX. The test prep material takes you through real world case studies that mimic the process of problem Continue reading
Onward & Upward: Recapping NSX-T in 2018 and Beyond
Overview
2018 was a big year for NSX-T Data Center, VMware’s network virtualization platform designed and optimized for application workloads running on both vSphere and non-vSphere environments, container platforms, and public clouds. In addition to supporting core use cases around security, automation, and multi-cloud networking, NSX-T Data Center has continued to expand the capabilities of the platform to include enabling networking and security for emerging use cases around containers and cloud-native applications. To support these use cases and increasingly deliver value to customers, NSX-T Data Center saw new versions released, improvements made to plug-ins, and integrations across an expanding ecosystem. 2018 also saw NSX-T Data Center gain significant momentum in terms of customer adoption, delivering enhanced and new capabilities across all use cases to a quickly growing number of customer deployments.
Product Releases, Plug-ins, and Integrations
In June, NSX-T Data Center 2.2 was released, bringing with this the ability to manage Microsoft Azure based workloads, referred to as NSX Cloud. The NSX-T Data Center platform was also updated to provide networking and security infrastructure for VMware Cloud on AWS. Other notable capabilities included enhanced data path mode in N-VDS, an improved controller cluster deployment experience, guest Continue reading
Ensuring Security Posture In A Multi Cloud World: A NSX(mas) Carol
Holidays are a great time of year to take a moment and reflect. In 2018 at VMware Networking & Security, we’ve had yet another exciting year for us—we’re very proud of many achievements. For example, NSX now being deployed by 82% of Fortune 100 companies is a substantial industry adoption data point. But rather than focus on those numbers, I wanted to take a moment to highlight one of our biggest accomplishments this year (in my opinion). Oh, and in case you missed some of those 2018 highlights, you can catch a replay of Tom Gillis’ keynote Building the Network of the Future with the Virtual Cloud Network from VMWorld US 2018.
NSX Past
Earlier this year (the end of April to be precise), at Dell Technologies World, we had our external launch of the Virtual Cloud Network. The problem statement was simple: our customers were embarking on a digital transformation journey in their respective lines of business and with those efforts came challenges around a new level of networking complexity. Their goal within their organizations was to move from centralized data centers to hyper-distributed centers of applications and data, typically spanning multiple locations, multiple geos, Continue reading
Enhance Security with NSX Cloud and Horizon Cloud on Microsoft Azure
While virtual desktops have successfully helped address security and operational challenges, IT organizations still have concerns about a growing threat landscape and an expanded security perimeter that they need to protect, especially in public cloud environments. Malware, phishing, and other emerging advanced threats can be used to compromise a virtual desktop to serve as jumping off point for an attacker to move laterally into the rest of the network. Until now, customers could secure their VMware Horizon deployments in on-premises data centers with VMware NSX. We are happy to announce that NSX can now also secure virtual workloads deployed by VMware Horizon Cloud on Microsoft Azure, providing a more robust security posture in cloud-hosted virtual desktop environments in Microsoft Azure.
It’s been a great year for Horizon Cloud on Microsoft Azure. This service offering allows customers to easily pair their own Microsoft Azure capacity with the intuitive Horizon Cloud control to quickly deliver virtual desktops and apps to end-users in a matter of hours. There is a lot of momentum from customers as they adopt Horizon Cloud to deliver virtual desktops and application from their own Microsoft Azure infrastructure to any device, anywhere.
One of the key features of the Continue reading
VMware Cloud on AWS with NSX-T SDDC – Connectivity, Security, and Port Mirroring Demo
VMware Cloud on AWS with NSX-T SDDC – Connectivity, Security, and Port Mirroring Demo
VMware Cloud on AWS with NSX-T SDDC – Networking and Security
Watch the embedded demo below or view on the NSX YouTube channel here to see several cool NSX-T networking and security capabilities within VMware Cloud on AWS. The demo shows connectivity from VMware Cloud on AWS SDDC to on-prem via AWS Direct Connect Private VIF. Access to native AWS services from VMware Cloud on AWS SDDC is also shown. Additionally, Edge security policies, distributed firewall/micro-segmentation, and port mirroring are demonstrated. Continue reading
Introducing VMware NSX Service Mesh
Introducing VMware NSX Service Mesh
We are excited to introduce VMware NSX® Service Mesh. Built on the foundation of Istio, this VMware offering will extend the capabilities of the Istio service mesh technology to bring visibility, control, and security at the application layer to microservices, the data they access, the users that interact with them, as well as traditional monolithic applications. In short, NSX Service Mesh will enable visibility, control, and security for services, data, and users at the API level. This acts as a natural evolution of cloud-native constructs and will act as an extension of the NSX-T Data Center platform’s replication of networking and security services in software, which is applied directly to containers via the Container Network Interface (CNI).
The Rise of Microservices
With the rise of cloud-native architectures built on distributed microservices, developers are encountering challenges with visibility, management, and control of these new applications. The microservices that these apps are comprised of are developed on cloud-native platforms like Kubernetes or Cloud Foundry, using a variety of programming languages, and often across multiple cloud environments. In addition, these applications consist of many more endpoints to scale, secure, and monitor than in traditional ones. This ultimately Continue reading
Introducing the Virtual Cloud Network Readiness Assessment
Is your network ready for applications, automation, multi-cloud, containers and more? Here’s a truth bomb for you: the network that got us here today is not sufficient for tomorrow. Sorry to be sardonic, but here are the facts: today, new business models, cloud adoption, and the explosion of connected devices are now must-haves for organizations that are prioritizing digital transformation initiatives. But legacy network approaches rooted in hardware just don’t cut it anymore; technology is rapidly shifting and improving at a rate that is undeniably fast. To keep up, modern networks must be able to support operations across data centers, multiple clouds, branch locations, and edge devices while prioritizing security for the ever-growing amount of application data that flows from every point within a network.
Despite these shifts and needs, many organizations do not have a unified approach to management, automation, and security. Do you know if your network does? Find out how software-first networking can transform your business.
Virtual Cloud Network Readiness Assessment
The Virtual Cloud Network Readiness Assessment can help you assess the current state of your network and security – for free. By answering a few questions in this 10-minute survey, you’ll get a personalized report that Continue reading
VMware NSX Cloud at AWS re:Invent 2018
Howdy… if you have managed to check-in and get your AWS re:Invent pass, congratulations! Looks like running between AWS sessions across hotels in Las Vegas is the new Turkey Trot – welcome to the “Cloud First” world! Amongst all the craziness, we just wanted to take a moment and send a note to you from the NSX team.
As all of you know, NSX Cloud supports Azure and AWS since our latest NSX release – NSX 2.3. NSX Cloud will be showcased at the NSX demo pod at the VMware booth (Booth#2201) at AWS re:Invent (Sands Expo, Venetian). Our product experts are looking forward to meeting customers, answering product and use-case questions, and showcasing demos.
During the event, there will be multiple theatre presentations on NSX Cloud with a lot of swags to grab. For customer/partner meetings on NSX Cloud during the event, please reach out to the PM team (Percy Wadia, Shiva Somasundaram and Amol Tipnis). If you would like to take a look at all the Past Blogs and YouTube Videos on NSX Cloud, we have got it sorted for you.
Big Announcements:
The excitement is going to continue even after re:Invent as we will Continue reading
VMware NSX Cloud Now in AWS Solution Space
We are excited to announce that NSX Cloud, the VMware networking and security solution for AWS-native applications and hybrid-cloud, is now available in the AWS Solution Space! AWS created the Solution Space as a place for AWS Partner Network (APN) Technology Partners to showcase customer-ready solutions that combine AWS services with partner technologies and, optionally, consulting offers from APN consulting Partners. This is an especially notable milestone for NSX Cloud because it will be one of the first offerings in the Networking category for Solution Space.
NSX Cloud will be featured at AWS re:Invent this week, so be sure to stop by our theater sessions at the VMware booth (#2201) on Tuesday at 3:30pm or Thursday at 11:30am. We look forward to seeing you there, and are giving away an exciting prize to a lucky winner at each session!
What is NSX Cloud?
NSX Cloud is an extension of VMware’s NSX Data Center technology that brings the NSX networking and security framework to cloud-native applications in AWS. With NSX Cloud, IT administrators can apply the exact same networking and security policies they use in the data center to AWS-native applications, and they can manage those applications through the same interface Continue reading
Check Point CloudGuard now supports North-South service insertion for NSX-T Data Center
With VMworld Europe just around the corner, we are excited to announce that our valued partner Check Point’s product CloudGuard has met all the certification requirements for NSX-T Data Center North-South service insertion! This is the first such certification following the recent release of version 2.3. It is particularly exciting given that NSX-T is designed to connect and protect workloads running in multiple environments like public clouds and on-premises data centers, and CloudGuard for North-South traffic works at the point of connection between these networks. 
Enhancing security gateway capabilities with Check Point’s CloudGuard for traffic moving between virtual machines and external networks secures your assets and data in the cloud against even the most sophisticated threats, with multi-layered protections including: Firewall, IPS, Application Control, IPsec VPN, Antivirus, Anti-Bot, and award-winning SandBlast Threat Emulation and Threat Extraction technologies.
NSX-T Data Center was designed with the concept of service insertion top of mind, enabling users with specific needs to seamlessly add third party applications at various points throughout the network. Having a robust ecosystem of partners is key to providing maximum flexibility for NSX-T Data Center, enabling you to add partner functionality that is tailored to your unique requirements without degrading performance elsewhere in the SDDC. Partner applications are Continue reading
Education Service Center Region 11 Protects Student Data with VMware NSX Data Center
Rory Peacock is the Deputy Executive Director of Technology at Education Service Center Region 11, where he oversees all technology services provided to Region 11 schools.
Region 11 is one of 20 education service centers throughout the State of Texas. In Texas, an education service center manages education programs, delivers technical assistance, and provides professional development to schools within its region. With regards to technology, education service centers assist their schools with hosted services and technical support.
Education Service Center Region 11 serves 70,699 educators and almost 600,000 students across 10 urban and rural counties.
I had the opportunity to talk to Rory about some of his largest technology challenges since he joined Region 11 in 2015.
Day Zero
Region 11 is a long-time VMware customer, introducing VMware vSphere in 2009. Since then, Region 11 has virtualized over 95% of their server environment. They’ve also made the move to virtual desktops utilizing VMware Horizon to support their 200 employees.
On the very day in 2016 that a meeting was set with the VMware NSX Data Center team to demo the product, Region 11 was hit with a zero-day attack of ransomware. A legacy system was hit in its demilitarized Continue reading
Flexible deployment options for NSX-T Data Center Edge VM
Each datacenter is unique and is designed to serve the specific business needs. To serve these business needs, you could have a small or a large ESXi/KVM footprint. NSX-T Data Center can be leveraged to provide networking and security benefits regardless of the size of your datacenter. This blog focusses on a critical infrastructure component of the NSX-T Data Center i.e. NSX-T Edge node. Refer to my previous blogs, where I have discussed how the centralized components of a logical router are hosted on Edge nodes and also, provide centralized services like N-S routing, NAT, DHCP, Load balancing, VPN etc. To consume these services, traffic from compute nodes must go to the Edge node.
These NSX-T Edge nodes could be hosted in a dedicated Edge cluster or a collapsed Management and Edge cluster as discussed in the NSX-T Reference design guide. NSX-T Edge nodes could also be hosted in Compute Cluster in small Datacenter topologies, making it a Collapsed Compute and Edge Cluster design. Please refer to NSX-T Reference design guide to understand the pros/cons of using a dedicated cluster vs a shared cluster.
In this blog, I will cover various deployment options of NSX-T VM form factor Continue reading
Accelerated Data Plane Performance Using Enhanced Data Path in NUMA Architecture
Authors: Jambi Ganbar (Sr. Technical Solutions Manager, NFV), Jubin Thomas (NSX Information Experience team)
Overview
Some workloads demand accelerated and predictable networking performance. Our Network Functions Virtualization (NFV) customers and some of our financial, media, and high-performance computing (HPC) customers deploy these workloads. These workloads process a lot of network traffic. Network traffic in the virtual domain relies heavily on CPU cycles and the number of CPU cores available on the host. These CPU resources are used by the workload to perform its task and by the hypervisor layer to deliver network traffic to and from the application.
In this blog, we discuss the configuration required to achieve accelerated data plane performance in modern multiple NUMA architecture hosts. This blog accompanies a new white paper we just released on the subject. The white paper can be found here.
With the introduction of NSX-T version 2.2, we added a new mode of operations in the NSX-controlled virtual distributed switch. We refer to this switch as N-VDS. This new mode is called Enhanced Data Path and is often indicated as N-VDS (E). N-VDS (E) is one of the core building blocks in achieving accelerated data plane Continue reading
Inaugural 2018 Gartner Magic Quadrant for WAN Edge Infrastructure and VMware NSX SD-WAN by VeloCloud
Congratulations to the VMware NSX SD-WAN by VeloCloud team for its recognition as a Leader in the first Gartner Magic Quadrant for WAN Edge Infrastructure! The report is the first Magic Quadrant that includes evaluation of SD-WAN vendors and to be named a leader with the position furthest on Completeness of Vision is quite an honor.
VeloCloud, now part of VMware, began with the idea to remedy branch networking issues because the networks of yesterday were optimized to haul traffic back to the datacenter, not to the cloud where applications of today are housed. SD-WAN has solved for this issue amongst a plethora of others, becoming a technology disruptor in a way that nothing else has been in decades.
SD-WAN has, in a very short period of time, transitioned from a networking “nice-to-have” to a necessary component of the network infrastructure. We’re excited to have Gartner recognize another key component of our rapidly growing networking portfolio and integral product in the VMware Virtual Cloud Network vision to provide the connectivity across cloud, data center, branches, end user, and applications regardless of where they will be used.
To download the 2018 Gartner Magic Quadrant on WAN Edge Infrastructure, click here.
Follow VMware NSX Continue reading