During this podcast, VMware partners heard from George Cassels, Network Security Specialist, at VMware.
Speaker 1: On behalf of VMware and Carahsoft, we would like to welcome you to today's podcast, networking and security architecture of the digital age with VMware virtual cloud network. Today's speaker is George Cassels.
George Cassels: Thank you very much. My name is George Cassels, I'm a network security specialist at VMware. So we're gonna go ahead and get started. And so a lot of people don't realize the last couple acquisitions VMware has made is all around security. And historically, we've always focused on this micro segmentation aspect of the business when it came to security. Well, with a couple in house developments and a couple key acquisitions, we are now focusing on this $5 billion total addressable market that we'll be going after. But when it comes to what network administrator's network directors see. So when they're trying to look at either visibility or complexity, they know it's a tradeoff, right? Because typically, you have to make major network changes in order to get the level of visibility you might need, especially inside a data center. And so knowing that you lack it, but knowing that you have to make those narrow changes some people choose not to. But it's not an and it's not an or scenario for us. We can help with that. And I hope we'll be able to show you that today. So we kind of look at Zero Trust, which truly isn't a product is a framework, right? When it comes to the transport session for Zero Trust model as a three part process. And the first step in the process is segmentation, right? It's all about limiting the attack surface that an intrusion can try to exploit. Secondly, we now have a in hypervisor IDs, IPS. So for the flows we're allowing through our distributed firewall, we also now have the capability to monitor those flows. And we'll talk about that more. But being able to detect or prevent those flows that we're allowing through our distributed firewall is very important. And then lastly, we're going to talk about something that a lot of people don't even realize we have in our portfolio. And that's around network detection and response. And we'll go more into that. Um, before we go any further, I do want you guys if you've been around VMware, any amount of time, you've probably heard of NSX. NSX is typically one product, right? It was a product that did layer two layer three networks, networking, some basic load balancing and a distributed firewall, I don't want you to think of NSX as a product. NSX now is a subcategory, right, everything networking security falls under the term NSX. So we have NSX Advanced Load Balancer, we have NSX Advanced Threat Protection, we have NSX data center, which is our legacy NSX product, which does the layer two layer three, basic load balancing the distributed firewall, and now we also have a firewall only skew. So we've taken the distributed firewall out of our NSX product, and made a standalone product for that. And then we have our NSX IDs, IPS. So keep that in mind, don't just when you hear the term NSX. Don't just think of that one product. Now there are several products underneath that product family, if these two racks are our data processing nodes, and these are our management and analytic racks, if we wanted to provide any level of security with our distributed firewall IDs, IPS, and we wanted to do these capabilities, IDs, IPS and firewall in hardware, we would have to make what they call a choke point. And we would have to hairpin all the traffic in and out of our data processing nodes through that IDs, IPS and firewall. And honestly, that can cause a lack of visibility that can cause performance issues. And it also can lead to a really, it defeats the purpose of why we put a virtual Distributed Switch on our data processing nodes in the first place. So what we do at VMware is we turn those hardware constructs into software. And we distribute those across our data processing nodes. And now because of doing that we have a distributed architecture that has no blind spots. We have no performance issues because it's distributed the other thing we do is we have consistent policies across our data processing nodes and across our data centers. And a lot of people think when you go with our product, that it has to be a micro segmentation, implementation and that and that's not true, you can go down to where we get very granular. And we have products that will make firewall rules, recommendations for you to get where we lock down all communication, except what’s all the services and micro services that are part of an application. But you don't have to take it that granular. We can start with something like zone based firewalling, where like this screen showing where we have a VDI RDS capability, a management and infrastructure group, right? Basically zones based on functionality, we could do with something as simple as two VM tags, right? Whether it's dev prod or a PII, non PII, and two firewall rules. And we can make it to where those two can talk, even if they reside on the same subnet. So it doesn't have to be a micro segmentation play, it can be a segmentation policy, zone based user base, we have an identity based firewall built into our system that you can utilize, also keep so keep that in mind. It's not all about micro segmentation, when it comes to our firewall. And then with our firewall, every VM now looks like it has a V Nic connected to our firewall and IDs, IPS, we have a capability that nobody else can provide to be able to see intra VM traffic inside the same ESXi host. Nobody else can provide that. So something key there. The other thing, if you look over on the right hand list is policy and state mobility, right? So if you move our workload to another cluster, to another data center to the cloud policies move with it both our firewall and IDs, IPS. And that's different from what typical networking security is, because some of the shortcomings of networking security was that it separated, trusted from untrusted. But there were no there was basically like a castle moat mentality, right? There was no security, once you got over that will cross the mountain over that wall. That's not the case with us where our security lives with our application. So that's different. And then when we get to NDR, also talked to you about the other shortcoming and how we fix that, which was everything with networking, security was based on signatures. So again, we've worked around that. But in this case, we can our policies move with us with our workload as they move between data centers, across clusters to the cloud. And the other thing is, when I was a CCL on site, CCIE on site at Bragg, the one thing we never did was remove a policy from a firewall because we were scared to death of breaking an application. Even if we thought that line might not be used Well, with our solution, if you eliminate a workload, and nobody's long, no longer utilizing policies on our IDs, IPS or firewall will line through them so that you know that those know are no longer in use. So again, policy and state mobility. And then the other big thing is, we can both detect and prevent with our IDs, IPS, if not one or the other, we can do both. And then all of this is managed from a centralized console, which is our NSX console, so an all in one. So we got one point of truth for our distributed firewall and our IDs, IPS capability. And we're not having to manage different systems to have that capability. And then this is actually a screen of our IDs, IPS. And it's very interesting because you can see attack detection between from clients to VMs, or from VM to VM. So we can see that the other big one for me is this, this bottom one here, and most federal customer networks, a lot of the servers are not always online at the same times, right? You've got deployable kits, you've got servers that are offline sites that might not be online certain times of the day. So there's a good chance that servers might not be patched to the same level. One of the interesting statistics I read about the other day is that 60% of all breaches happen on a vulnerability that has a patch out but not applied. So having another layer of security, I think is very important to build to protect unpatched server workloads. Everything we've talked about up until this point, is all around our IDs, IPS, and our distributed firewall and those are in hypervisor. We can run those on bare metal, but a lot most of those are all in our hypervisor, right? So what I'm going to talk about now is our MDR solution. And this came over to us from our last line acquisition, right? It's something totally different than we've typically had in our portfolio. And what I like to do is paint this out, because we have several pieces that make up our solution. We have an IDS, IPS capability that runs on our sensors, right? Our sensors do two functions. They run that signature based detection, which like I talked about before, was typically one of the shortcomings because signatures are only as good as yesterday's threat. But we also work in conjunction with our network traffic analytics. And what we do is we can detect anomaly behavior, right? So something that different deviates outside the baseline behavior of our network. So why is all the sudden George's computer talking to Phil's computer and often loading so much data, something like the sunburst scenario, right? Nobody would have picked up on the solar winds incident, because it was the sine signature. But we would have picked up on that anomaly detection of computers talking to each other and uploading data to each other and have never talked to each other before. And then if this protects us against day one, and day two threat, this protects us against day zero, right? This is where we're going to do our detonation, we're going to detonate unknown artifacts to come into network to run file analysis against it. And just like our IDs, IPS works in conjunction with our network traffic analytics. So does our malware analysis. And what we do is hackers reuse code. So we compare known, I guess, the unknown. So we might not know this whole string of code, but we can see this code reuse. And we can that'll allow us to either raise or lower our maliciousness score, so that we can make sure you understand how high risk of that vulnerability is, or that intrusion. And then these three things, feed our network detection and response solution so that we can provide a holistic picture of the intrusion. And so our MDR solution got started in the user focus network, right 90%. All breaches happen through user butts and seating users. But with the VMware acquisition, now, we are now also living in the data center, and three data are in hypervisor IDs, IPS will be able to feed our MDR, our cloud based MDR system, and we're hoping to hear soon they'll translate that down to the on prem solution. And then if you're in a VMware cloud, you can support our in hypervisor IDs, IPS and firewall. But even if you're not, our sensors will run up in native cloud infrastructure so that you can receive data back as far as intrusion incidents back into your NDR system. And then we can also support even very small deployments at branch offices, we've run our sensors on something as small as a beefy laptop. Our data is stored on an elastic database on our data node. And the good thing about that is, is we provide you full access to your data. So you can build graphics and our whole dashboard straight from the elastic database if you choose to. And outside of our just using our manager. Because we have products that do multiple products that do security, it really depends on who you're selling to what persona, right? So if you're talking to the infrastructure team, and they're interested in virtualization, right, it might be a really great idea to position our NSX data center product, or one that does layer two, layer three, basic load balancing our distributed firewall, right. But if you're talking to the network team, or the InfoSec team, they might not be interested in that layer two, layer three networking, load balancing, they might only be interested in that visibility and security in their application. So why not talk to them about our firewall only option and our IDs, IPS capability? If you guys are out there, you're reselling and you know, you're talking to a customer that has a an investment already in Cisco ACI, then let's talk to them and tell them hey, let's just go do what Cisco does best. Let them manage their devices, let us do what we do best. And let us secure our applications that are running in our hypervisor, right. So that'll stop the hair pinning, of providing security through ACI so they can get the best of both worlds doing the SDN capability with Cisco, and doors helping us or we can secure our data without causing heavy hairpins from rbds with the NSX firewall only skew. So again, persona based selling, we do a really great job telling you about capabilities of VMware, we don't do a good job telling you about the traps right? Be very careful talking about micro segmentation. A lot of my coworkers do it at VMware but micro segmentation a lot of people in CTO 30 look at that as a niche play as a buzzword. Again, you do not have to do micro segmentation with our product, you can do zone based user based segmentation, or are just basically zoning, you don't have to take it all the way to micro segmentation. The other thing is we are not trying to take on the internet facing firewall, right? We are a firewall solution and mainly protecting data centers from East West perspective. So keep that in mind. Also, keep in mind that we have a firewall only option, that reply requires no overlay networking now, right. So if you know customers anti overlay networking, because they've already got cyst or something, let's get our firewall only skew in there, it's a lot cheaper, it's a lot easier to implement. And if you're looking for an incremental sales strategy, that's the way to do it. Complex messaging, don't go in there talking about VR, and I don't go on there talking about NSX intelligence, just go in there and talk to him about segmentation and visibility. And let's simplify our messaging. And then last but not least, a lot of people are talking about SDR sassy and everything like that. A lot of those are still in the works. They're not out and fully baked yet. So be careful about getting too far over your skis on position and something that's not fully baked yet. Thanks for listening.
Speaker 1: If you'd like more information on how Carahsoft or VMware can assist your organization, please visit www.carahsoft.com or email us at vmware@carahsoft.com. Thanks again for listening and have a great day.