By Deb Banerjee, Symantec Chief Architect, and Jeremiah Cornelius, VMware Technology Alliances Security Architect
Imagine having the ability to ensure protection, provision, manage and respond for security in real time - across multiple applications, operating systems with differing business owners and change-management controls. What if you could do this through automation that kept pace with the agility standards set for infrastructure-cloud computing? All while reducing complexity with increased visibility and interoperability of different security controls like Anti-Virus and Network Intrusion Prevention?
That ‘s what is now possible, through Software Defined Data Center (SDDC) automation on VMware’s NSX logical micro-segmentation, enhanced with capabilities provided by Symantec’s integration of Data Center Security (DCS):Server product.
We hear a familiar refrain in recent years, from both IT executives and administrators. “If we don’t offer AWS-style services, we may not exist in a few years.” This pressure to meet business demand drives the current major revolution towards increased agility for the enterprise data center. Today, the evidence of this revolution can be seen in a number of our customers, who are leading a transition from simple virtualization to private-cloud deployments, built on VMware NSX, the foundation for a Software Defined Data Center. SDDC capabilities include enablement for line-of-business application owners in bringing their own images, provisioned on an infrastructure cloud and running in minutes. Enabling fulfillment of this model is NSX’s new ability to establish these private clouds on an SDDC platform, where all core services - including network and security controls - are delivered with the agility once reserved for server virtualization. The NSX SDDC makes it possible for these enterprises to extend the infrastructure service to sensitive data workloads. This includes the thorny protections for credit card data or customer information, which used to bind this kind of deployment to physical, isolated locations – removed from the benefit of data-center virtualization and agile, consolidated operation. The drive to prove and adopt NSX by customers has been consistently fed by the micro-segmentation concept – an SDDC feature for creation of workload isolation boundary in software. Leveraging this micro-segmentation is central to delivering the speed, flexibility and reduced complexity demanded for placement and operation of security controls with appropriate policies for these sensitive workloads, at scale. The micro-segmentation boundary becomes the common unit for enforcement by an ecosystem of partner-provided security solutions. Each of the partners may bring a best-of-breed approach to securing the micro-segment, with a customer assured of interoperability and compatible operation.
Coupling the secure, agile NSX-based SDDC with increased provisioning and management automation, such as that offered in vCloud Automation Center, the key elements for a strategy of private and hybrid clouds is now available to meeting the IT challenges posed. Security and network controls built for an NSX SDDC will be provisioned on demand, without additional integrations necessary to allow for their assignment and consumption. This is the direction towards which we are headed – for the next decade in enterprise computing, networks and security.
At the same time that the NSX-powered SDDC infrastructure has ensured security assurances so that policy may be maintained, the threat landscape continues in evolution. The rapid rise of targeted threats in the enterprise typically land on endpoints, sniping users through email and web traffic. Such a compromised endpoint becomes the beachhead for advanced threats. These move laterally into the data center hunting for vulnerability in the servers hosting sensitive data. It is here that the SDDC benefit of NSX micro-segmentation demonstrates distinct advantages over the physical datacenter network model that it supplants. The “kill chain” described for advanced threat depends on the “hard shell, chewy center” of perimeter-enforced physical networks. Server based controls on such networks are a last-line of defense, each responding with little or no common reference. The VMware NSX solution replaces the constraint of hardware with architecture – built in software. Integration of security solutions, positioned on the boundaries of an NSX-defined micro-segment benefit from universal coverage, unrestricted by agent function or confined to specific network aggregation points. This “dries up the swamp” in which advanced threat mosquitoes must breed.
Symantec has a wide array of threat detection technologies spanning from signature based Anti-malware, file reputation, network exploit detection, and behavioral analysis/virtual execution. Our strategy for bringing agility into security for our enterprise customers includes these two key elements:
- Embedding and integrating these technologies into the VMware NSX platform, to take full advantage of the hypervisor enablement for software-defined security.
- A policy-based, workload-aware approach to micro-segmentation that automates security operations such as provisioning and response.
The VMware NSX platform offers significant advantages for improved security including automated agentless deployment on the hypervisor that is aware of dynamic workload conditions such as cloning and vMotion. Agent-less threat detection speeds up application deployment while preserving shared resource consumption for storage, networking and compute resource utilization. More importantly, NSX allows Symantec to tie specific policies to individual workloads on a fine-grained basis.
Here’s one example of the usefulness this affords us to offer better protections. It makes no sense to protect an MS Exchange workload against Apache exploits on Linux systems. But the limitations of physical placement make an alternative impractical and probably unaffordable. Add the consideration for exploding volumes of network traffic and data stores, enterprise can barely manage to scan all traffic and data for all possible exploits. The result is a “service rationing” of expensive operations.
NSX-based controls benefit from horizontal distribution – close to the workload they protect, not at the end of an equipment rack. This enables utilization of shared computing resources without the worry of rationing. NSX can achieve efficiency in the example, steering traffic specifically from micro-segment containers identifying the MS Exchange workload to an on-host network threat detection capability that looks for exploits and compromises relevant only to MS Exchange. This capability requires a threat detection technology that is application aware, and an orchestration solution binding workload awareness and application-specific security policies into traffic steering rules.
Together, Symantec and VMware are bringing solutions meeting this requirement to market.
There are additional elements to an effective data center security program beyond threat detection. These include deploying server hardening/lockdown solutions, vulnerability management and segmentation solutions. Automating the provisioning of these security controls for new workloads and micro-segment boundaries requires deploying these controls where necessary, and provisioning them with the right policies for that workload. We can use workload policy conditions to dynamically generate a new micro-segment that is implemented using distributed virtual firewall capability in NSX. Another specific variation, when an Apache server VM is launched, an NSX-based security hardening solution is configured with narrowly targeted policies that understands the Apache processes and restricts file system access, and spawned processes for Apache specifically.
Symantec is already shipping DCS: Server & Server Advanced for file and reputation based threat detection solutions embedded and integrated with VMware NSX. At VMworld US 2014, Symantec is exhibited the demo for an upcoming release of network exploit detection, integrated with NSX referred to as “Project Wonderland.” This is the entry point for a road-map which includes virtual execution/dynamic analysis and cloud-service integration for malware detection. Together with VMware and additional partners including Palo Alto Networks, and Rapid 7, Symantec is bringing security automation solutions to market that enable agility in security for enterprise clouds.