SAI2041BU NSX DMZ Anywhere: n o t i Modernizing the DMZ u b r i t s d i r o n o t i a c b li u p r o t f o N t : n e t n o C Wade Holmes, Sr. Manager of Tech1 n7 i cal Product 0 2 Management r l d o w VMware Networking anMd Security V Chris Krueger, Coalfire Systems, Inc. Managing Principal, Security Architecture Disclaimer • This presentation may contain product features that are currently under development. • This overview of new technology represents no commitment from VMware to deliver these n o features in any generally available product. u t i b r i t s d i • Features are subject to change, and must not be included in contorar cts, purchase orders, or n o sales agreements of any kind. a t i c b li u p r • Technical feasibility and market demand will at f fef oct final delivery. o N t : n • Pricing and packaging for any new teechnologies or features discussed or presented have not t n o C been determined. 7 1 0 2 d r l o w M V 2 Agenda 1 Introduction and Objectives n o t i u b 2 Current State and Challenges r i t s d i r o n o t i a 3 DMZ Anywhere c b li u p r o t f o N 4 DMZ Anywhetr:e Design Patterns n e t n o C 7 1 0 5 d 2 Coalfire DMZ Anywhere Benchmark r l o w M V 6 Additional Resources 3 NSX Use Cases SOLUTION LEVEL n o t i u SDDC b r i t s d i r o n o t i a PRODUCT LEVEL c b li u p r NSX PLATFORM o t f o N t : n e t INITIATIVE LEVEL o n C 7 1 SECURIT0Y AUTOMATION APP CONTINUITY 2 d r l o w M V PROJECT LEVEL Micro-segmentation IT Automating IT Disaster Recovery Secure End User Developer Cloud Multi Data Center Pooling DMZ Anywhere Multi-tenant Cloud Cross Cloud 4 What is a DMZ? A segment that acts as a intermediary and boarders a trusted network and an untrusted network n External o t i u b r i t s d i r o n o t i a c b li u p r o t f o N DMZ t : n e t n o C 7 1 0 2 d r l o w M V Internal 5 What is a DMZ? A segment that acts as a intermediary and boarders a trusted network and an untrusted network n External o t i u b r i t s d i r o n o t i a c b li u p r o t f o N DMZ t : n e t n o C 7 1 0 2 d r l o w M V Internal 6 DMZ – Secure area with maximum security and visibility n o t i u b r i t s d i r o n o t i a c b li u p r o t f o N t : n e t n o C 7 1 0 2 d r l o w M V 7 Maximum Security? n External o t i u b r i t s d i r o n o t i a c b li u p r o t f o N DMZ t : n e t n o C 7 1 0 2 d r l o w M V Internal 8 DMZ Exposure • There is *always* a risk for an asset placed on a DMZ network n o – It’s allowing incoming connections from a lower trust zone (frequently the internet) t i u b r i t s – Even if a webserver is completely patched and locked-down for allowed pordtis, it’s still vulnerable to r o attack from other servers on the same L2 network o n t i a c b li • Backend Connections (3-tier apps) p u r o t f o – Many services require connections back to otheNr DBs or servers; allowed connections into higher-trust t : n networks must be closely monitored and erestricted t n o C 7 1 0 2 d r l o w M V 9 Maximum Visibility? n External o t i u b r i t s d i r o n o t i a c b li u p r o t f o N DMZ t : n e t n o C 7 1 0 2 d r l o w M V Internal 10