Nick Marshall, author of Mastering vSphere 6 and long time #vBrownBag’er kicks off our What’s New in vSphere 6 series with an overview of the enhancements and features new in vSphere 6 such as the Platform Services Controller, VVOLs, VSAN, NIOC, and more.

What’s New in vSphere 6 Video

You can follow Nick on Twitter @nickmarshall9, his blog http://nickmarshall.com.au and the Mastering vSphere 6 book http://smile.amazon.com/Mastering-VMware-vSphere-Nick-Marshall/dp/1118925157

Originally published at http://ProfessionalVMware.com – Sign up for the live #vBrownBag broadcast at http://professionalvmware.com/brownbags/ where you can also get updates and view our past series such as the Automate All The Things series at http://professionalvmware.com/vbrownbag-automate-all-the-things-training-schedule/, Cisco certification series http://professionalvmware.com/vbrownbag-cisco-certification-track/ or the Couch to OpenStack series at http://openstack.prov12n.com/openstack_phase_1/

{ 0 comments }

Rob Hirschfeld, founder of RackN, talks about using OpenCrowbar for system deployments.

OpenCrownbar Video

You can follow Rob on Twitter @zehicle and his blog http://robhirschfeld.com.  To find out more about OpenCrowbar go to http://crowbar.github.io/home.html

Originally published at http://ProfessionalVMware.com – Sign up for the live #vBrownBag broadcast at http://professionalvmware.com/brownbags/ where you can also get updates and view our past series such as the Automate All The Things series at http://professionalvmware.com/vbrownbag-automate-all-the-things-training-schedule/, Cisco certification series http://professionalvmware.com/vbrownbag-cisco-certification-track/ or the Couch to OpenStack series at http://openstack.prov12n.com/openstack_phase_1/

{ 0 comments }

Who do you trust? nobody – by @vCloudernBeer

by Guest Poster on March 16, 2015

This guest post is by Anthony Chow who blogs at http://cloudn1n3.blogspot.co.nz/, where you can find his back catalogue of posts. Find out more about the guest blogger program here.

 

It is not about me. I do have faith in the human race and there are people that I trust.

It is about a new security model proposed by Forrester Research in 2010.

Traditional Network Security

The problem with the traditional network security model is that it assumes anything outside the network is untrusted while everything inside the network is trusted. Heavy emphasis is put at the edge for network access control. Once a user is in the network, there is not much control.

There is the Role Based Network Control (RBAC) in which based on the credential of a user and sometimes based on where and when the user is trying to access the network, a role is assigned to the user after the user successfully authenticates with proper credential. It is more useful when RBAC is implemented at the application level. To implement RBAC at the network level, security control is still limited.

With the proliferation of server virtualization, virtual machine can move from one host to another host. This makes the application of security control more difficult – where is the perimeter?

Before we go on we need to spell out 2 definitions:

  • East-West traffic: it is the traffic between servers within a datacenter
  • North-South traffic: it is the traffic between client and server

Traditional security model mostly tailor to north-south traffic and not much is done for east-west traffic.

Zero Trust Security Model
The "Zero Trust" security model is proposed by John Kindervag, a senior research analyst at Forrester Research.  His report can be found here (you have to paid to read the full report).  Well, we can also listen to John Kindervag talk about this "Zero Trust" modelhere in YouTube.  Actually the name of this security model captured the essence – "Trust no one".  From the YouTube video, John Kindervag mentioned 3 concepts for "Zero Trust" security model:

  1. All resources are accessed in a secure manner regardless of location
  2. Access control is on a "need-to-know" basis and is strictly enforced
  3. Inspect and log all traffic

To implement this on the traditional 3 tier network (access/aggregate/core) is not easy.
Today let’s take a look at VMware and Cisco products that utilizes this "Zero Trust" security model.  This security model also protects east-west traffic between servers.
VMware
VMware implemented Zero Trust security model in its NSX product.
VMware NSX is well known as a Software Defined Network (SDN) feature. I have in another post stating that NSX is also a security product and according to Chris King, vice president of product marketing for VMware’s Networking and Security Business Unit, a lot of customers show interest in NSX because of its inherited security feature because of it design.
NSX is a network virtualization platform and is able to automate, provision and managed network connectivity in a data center. With NSX there are 3 levels of security that can be accomplished:

  1. Isolation
  2. Segmentation
  3. Advance Segmentation with 3rd party security partners

Isolation
In traditional network, Access Control List (ACL) is used for isolation.  With a virtualized network, the virtual network is by default isolated from the physical network.  Each virtualized network are also being isolated with one another.  This follows the zero trust principle a the virtualized network level.
Segmentation
In NSX, there is a concept of micro-segmentation.  In the traditional network segmentation is done through VLANs.  With a virtualized network, segmentation is not limited to a VLAN but can be fine tuned to smaller group of virtualized resource or even to an individual virtual machine.  In fact, as this will be explain again later in this post is that micro-segmentation is how VMware achieved the zero trust security principle.
Advanced Segmentation with 3rd party security partner
With service chaining, NSX in a virtualized network can direct the data traffic to 3rd party security appliances for deeper packet inspection and ACL parsing. 
The main idea for NSX to accomplish the zero trust security model is to have a distributed firewall (one on each ESXi host) and that traffic is inspected before being sent out to the traffic. Even if 2 VMs are connected to the same vSwitch, the distributed firewall is going to inspect the data traffic before sending to the destination VM. Without the distributed firewall, the 2 virtual machines connected to the same vSwitch are able to pass traffic between each other.
This diagram explain the concept that with the distributed firewall implemented at the hypervisor level, we can accomplished the zero trust security model where all traffic is being inspected and filtered according to the security policy defined:

image source: http://wahlnetwork.com/wn/wp-content/uploads/2014/08/nsx-firewall-yes.jpg

Cisco
Cisco’s Application Centric Infrastructure (ACI) supports the concept of this Zero Trust security model.
As the name of this feature suggests it is all about – Application.

Traditional network security is network based, ACI decouples the security policy and segmentation from the network and defined "application friendly" policy model.  Security policy model in ACI is not only MAC address and IP address or its port number.  In ACI the security policy is defined by:

  1. Endpoint Groups (EPG)
  2. Policy Contract
  3. Application Network Profile

image source: http://3.bp.blogspot.com/-2FAS38Y6bUo/VQMGC12Dd0I/AAAAAAAAAlU/oKuRsAG8ygw/s1600/cisco_aci_PolicyModelForSecurity.jpg

Endpoint Group

Devices with a common policy is put together as a group. It can be based on application friendly attributes such as OS, patch level, application type, application component or function.  Endpoint Group once created can be used to define security zones, trust boundaries or risk profile.  In ACI the default is no trust.
Policy Contract
The contract defines how data traffic is delivered between Endpoint Groups (EPG). This is is how the security rules are applied to devices regardless of where they are. In a virtualized environment, virtual machine migration is common. This contract defines filters and any associated action.  This is similar to our traditional firewall rules which based on the 5 tuples.  Policy contract enforcement for Endpoint Groups can be unidirectional or bidirectional.
Application Network Profile
In the diagram above this is stated as Service Chains.  Service chaining is a concept in which it defines the flow of the data traffic from one network service to another service.  Service chaining is a hot and important topic for Network Function Virtualization (NFV).
Trust and no trust
I believe the networking industry is catching up with the server and storage virtualization technology.  In a network we should trust no one but in our daily life we should have a certain trust level to other people that we come into contact with. Everyday we are creating and updating out "Human Centric Profile" as to who and how much we can trust the people we know.

Reference:"Cisco ACI Security: A New Approach to Secure the Next-Generation Data Center." Cisco. N.p., n.d. Web. 13 Mar. 2015.
Egy, and White. Data Center Micro-Segmentation (n.d.): n. pag. Web.

{ 0 comments }

#vBrownBag DevOps Follow-Up Continuous Integration for Networking with Matt Oswalt (@Mierdin)

March 9, 2015

Matt Oswalt explains how Continuous Integration can be used beyond traditional development purposes, to support changes in configurations for network equipment leveraging tools like Ansible. Continuous Integration for Networking Video You can find Matt on Twitter @Mierdin and his blog http://keepingitclassless.net. Examples and presentation materials from this episode can be found on GitHub at https://github.com/Mierdin/ci-networks […]

Read the full article →

2015-marzo-5 #vBrownBag LATAM #VMware Network Virtualization #NSX– @wmichel

March 6, 2015

The following content is in Spanish, the language in which the webinar is presented. El pasado 5 de marzo 2015 en ProfessionalVMware #vBrownBag LATAM se presentó el tema: VMware Network Virtualization – @wmichel Esta presentación es una continuación de la serie #vBrownBag, en Español sobre la certificación VMware Certified Professional – Network Virtualization (VCP-NV) Blueprint v 1.2 Detalles: […]

Read the full article →

#vBrownBag Follow Up – The Art of IT Infrastructure Design

March 4, 2015

On the 3rd of March 2015 , the EMEA #vBrownbag welcomed the authors of the soon to be released "The Art of IT infrastructure Design" book, John Arrasjid @vcdx001 Mark Gabryjelski @MarkGabbs & Chris McCain @hcmccain onto the podcast to discuss their new book and talk about IT architecture in general.The session was hosted by […]

Read the full article →

#vBrownBag DevOps Follow-Up ELK with Larry Smith (@mrlesmithjr)

March 3, 2015

Larry Smith shows you how to leverage elastisearch, logstash, and kibana to create a robust syslog solution. ELK Video You can find Larry on Twitter @mrlesmithjr and his blog http://everythingshouldbevirtual.com/ Originally published at http://ProfessionalVMware.com – Sign up for the live #vBrownBag broadcast at http://professionalvmware.com/brownbags/ where you can also get updates and view our past series […]

Read the full article →

2015-feb-26 #vBrownBag LATAM #VMware Network Virtualization #NSX– @ercruzv Randall Cruz

February 27, 2015

The following content is in Spanish, the language in which the webinar is presented. El pasado 26 de febrero 2015 en ProfessionalVMware #vBrownBag LATAM se presentó el tema: VMware Network Virtualization – @ercruzv Randall Cruz Esta presentación es una continuación de la serie #vBrownBag, en Español, LATAM, podcast, professionalvmware.com, recording, Spanish, vbrownbaglatam2015feb19, Virtualization, VMware Originally […]

Read the full article →

#vBrownBag DevOps Follow-Up Provision VM’s in vCenter using Ansible w Jonathan Frappier (@jfrappier)

February 24, 2015

#vBrownBag crew member Jonathan Frappier demos using Ansible to provision virtual machines to vCenter. Ansible supports creating, cloning, and reconfiguring virtual machines in vCenter. Example playbooks can be found at www.virtxpert.com & github. Note that this demo was done with Ansible 1.9 prior to its official release. Ansible & vCenter Video You can follow Jonathan on […]

Read the full article →

2015-ene-15 #vBrownBag LATAM VMware Network Virtualization– @ercruzv Randall Cruz

February 19, 2015

The following content is in Spanish, the language in which the webinar is presented. El pasado 15 de enero 2015 en ProfessionalVMware #vBrownBag LATAM se presentó el tema: VMware Network Virtualization – @ercruzv Randall Cruz #vBrownBag, en Español, LATAM, podcast, professionalvmware.com, recording, Spanish, vbrownbaglatam2015feb26, Virtualization, VMware Originally published at http://ProfessionalVMware.com – Sign up for the […]

Read the full article →